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Microsoft r System Center is a family of 
II management solutions {including Operations 
Manager and Systems Management Server) 
designed to help you manage your mission- 
critical enterprise systems and applications. 

HSBC is deploying System Center solutions to 
manage 15.000 servers and 300,000 desktops 
worldwide. That's big. See HSBC and other 
case studies at DesignedForBig.com 
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24 Toughening Up Virtual Server 

Are you about to jump on the virtualization bandwagon? Before you 
do, you need to be aware of the technology's real security concerns. Here 
are some practical solutions that you can use. 

» Learning Path .! ■illll.ffli ....-.■. 31 

InstantDoc ID 95253 " —JOHN HOWIE 
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27 Virtualized Preparedness 

Virtualization technology is the main ingredient in this IT director's 
budget-friendly disaster recovery/business continuity plan. 

InstantDoc ID 95251 — B.K. WINSTEAD 
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SOLUTIONS + 

32 Get In Sync with DFSR 

Ditch Robocopy (and FRS) for replication and synchronization on your 
network, and implement easy-to-use DFSR on Windows Server 2003 R2 


instead. 

How DFS and AD Work Together .34 
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48 Exchange Storage 
~ Ins and Outs 

Discover Microsoft's recommendations 
regarding storage groups (SGs), RAID, 
transaction logs and databases, circular 
logging, and SANs. 
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REQUIRED READING: 

BACKUP AND RECOVERY 

51 Vista’s New Backup and Recovery 
Technologies 

To make backup and recovery processes more useful and forgiving, Microsoft 
built Vista's new backup capabilities from the ground up instead of repackaging 


the old backup technology. 

Vista Backup and Recovery Checklist ..53 

InstantDoc ID 95240 —ED ROTH 
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55 SharePoint and InfoPath: A Powerful Duo 

The strong integration between Windows SharePoint Services 2.0 and Microsoft 
Office InfoPath 2003 lets you collaborate by publishing forms to your SharePoint 
sites. 
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38 Internet Explorer 7.0 

Deploy Internet Explorer 7.0 to take advantage of the Web browser's cool 
new features and enhanced security. 

Preventing Internet Explorer 7.0 Automatic Deployment . ..40 
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REQUIRED READING: SECURITY 

43 Longhorn Server PKI 

Longhorn Server's public key infrastructure (PKI) has the most features 
of any PKI version, and installing Windows Certificate Services is easier 
than ever. 


60 SharePointers 

Bob Mixon offers up SharePoint solutions from an administrator's perspective. 
InstantDoc ID 95417 —BOB MIXON 

62 The Group Policy Route to Office Deployment 
and Management 

Use these two features of Group Policy to better manage Office: Group Policy 
Software Installation deploys Office and Office Administrative Templates locks 
down the behavior of various Office applications for your users. 

InstantDoc ID 95210 —DARREN MAR-ELIA 


New Longhorn Server PKI Features . .A6 

InstantDoc ID 95172 —JAN DE CLERCQ 


COLUMNS 



Karen Forster 

IT Pro Perspective 
Open Source Support: What’s in 
It for Microsoft? 

Interoperability has become as 
important as security and privacy. 
Microsoft realizes the competitive 
advantage it can gain by 
embracing its customers needs. 
InstantDoc ID 95352 
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Need to Know 

Vista’s User Account Control 
and BitLockcr Drive Encryption 

With Windows Vista, Microsoft 
set out to create the most secure 
Windows version yet. By all 
accounts, it was successful. This 
month, Paul Thurrott covers 
features that will ensure your data 
and your desktop stay protected. 
InstantDoc ID 95153 
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14 Hey, Microsoft! 

From Unified Messaging to Unified 
Communications 

Many readers haven't heard of unified 
communications (UC), and even those 
who have don't know specifically 
what it is. Learn the details about UC, 
how it differs from UM, and what 
it could mean for your company's 
communication policies. 

InstantDoc ID 94924 
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The Evolution 
of Windows 
Storage Solutions 

Windows Storage Server and 
Windows Unified Data Storage 
Server devices are quick and 
easy to deploy and answer 
today's need for NAS. 
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19 Industry Bytes 

Our editors share insights from 
their conversations with Arcot 
Systems, Quest Software, and 
Adobe Systems. 
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77 Readers Review Hot Products 

Fastnet's MailCleaner Enterprise, MVsoft's MvPCInfo 2.1, SystemTools 
Software's Hyena 7.0 Enterprise Edition, and NetPro's ChangeAuditor 3.5. 
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Paul's Picks 

Windows Vista's security is an 
improvement over XP but proves 
a little light when it comes to 
enterprise security features. Vista 
Ultimate Extras, the new Plus! 
pack for Vista Ultimate, includes 
BitLocker Drive Preparation 
tool—just about the only 
compelling product in the pack. 
InstantDoc ID 95160 

—PAUL TEORrott 

New & Improved 

Check out the latest products to 
hit the marketplace. 

PRODUCT SPOTLIGHT 
Vizioncore's esxRanger, Charter, 
Replicator, and Migrator. 
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67 Ask the Experts 

Learn about DNS scavenging and 
how to configure it, find out how 
to migrate applications during a 
move to Vista, and learn all about 
Vista's user account security. 
InstantDoc ID 95227 


69 Reader to Reader 

Protect the data on your USB 
storage device, easily discover in 
which GPO a setting resides, and 
quickly match TCP connections 
with processes. 
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Windows Mobile 5.0 Smart Phones and Pocket PCs 

These feature-packed mobile devices can function as your office away 
from the office and eliminate the need to pack a tool belt full of cell 
phones, pagers, and PDAs when you're on the go. 
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Successfully Managing Change 

Effective, successful change 
management requires clear and 
honest communication with 
employees and sensitivity to their 
feelings. 
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Windows Power Tools 

The Rise of Whoami 

A great new tool in Vista and 
Windows 2003 offers a quick 
command-line method for taking 
ownership of files and folders. 
InstantDoc ID 95051 


I Michael Otev 

Top 

New Program Locations in Vista 

Some important programs are no 
longer in the same places they were 
mL in XP and can be quite difficult to 

find in Vista without some help. 
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HIT SPYWARE. 

HARD. 


Your weapon: Counterspy Enterprise. 
Centralized spyware eradication. 


Spyware; the new number one enemy 
foriT. Recent surveys of IT specialists show that 
spyware infectiofis have reached epidemic 
proportions and that existing antivirus tools arc not 
enough to fight the war on spyware. Spyware is one 
of the most serious security threats and productivity 
killers today. For the enterprise, common imtispywarc and 
antivirus can't cut it. 

CounterSpy Enterprise: Knock out spyware 
from one centralized location. rompany-wkl? 
spyware management requires u real enterprise! product 
with fijjwWm/ management Counterspy Enterprise is 
just thai: a scalable, policy-basod, anUspyware tool bonll 
from the ground up for system and network mlmini orator* 
to kill spyware quickly and easily. 

Real-time protection. Active Protection ™ Monitors 
deliver real-time desktop protection to workstations to 
reduce the chance of spyware infection. From the Admin 


COUflTEH 


Console, you have the ability to centrally control 
what actions are taken when these monitors detect 
change on the desktops, 
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Editor's 

Choice 


The best spyware database in the 
industry. Period. Q>un<jcrSpv Enterprise's 
database has been independenlh validated as the best 
antispuvure database in the industry Why? Ii benefits from 
multiple sources for new spyware definitions, Including 
Sunbelt's Research Team and information collected from 
Counterspy consumer users through Sunlxdts ThreatNel™. 
No oilier LuUispyuare product cm claim thatf 

Free trial. Find out how many machines in 
your organization are infected HOW. Scan the 
machines in your enterprise for free. 

Download the trial M tgi'ti .wwMl-iufhwry. rum/cwH'W 



Sunbelt Software 


SPECIAL OFFER: Evaluate the FREE trial and get a 
u HIT SPYWARE. HARD." t-shirt: www.sunbeit-software.com/csewin 
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Exchange Server 2007 Without a Hitch 

D o you wonder just how Exchange 2007 will improve your email environment 
and enhance productivity? Join independent experts and your peers and 
colleagues for the Microsoft Unified Communications roadshows, coming to eight 
US cities in April and May. In addition to a product feature overview, you’ll learn 
how to effectively install, manage, and secure Exchange 2007. 
http://www.windowsitpro.com/roadshows/exchange2007usa 
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WINDOWS SERVER 
“LONGHORN” 
ROADSHOW 

G et a live, under-the-hood look at 
Windows Server Longhorn 
virtualization, deployment, Web 
services, and core reliability 
breakthroughs! Join experts for 
training, demonstrations, and in-depth 
discussions. 

http://www.windowsitpro.com/ 

roadshows/longhorn 


Open-Source 
Technologies on 
Windows 

T echX World will give you the tools 
you need to efficiently operate, man¬ 
age, and secure an integrated IT environ¬ 
ment and maximize ROI. We’re bringing 
together industry experts, third-party 
providers, and the world’s most powerful 
vendors in the IT marketplace to pres¬ 
ent practical, real-world information to 
help you manage the demands on your 
IT infrastructure while you meet critical 
business objectives. Register now! 


http://www.techxworld.com/ 

registration/?code 
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Migrating to Windows 
Vista: Recognize the 
Security Risks 

I f you’re considering migrating, remember 
that security is of the utmost importance. 
Download this free white paper to learn 
how migrating to Vista affects messaging 
and Web security. You’ll also get an infor¬ 
mative summary of the key concerns to 
watch out for in the migration. 


http://www.windowsitpro.com/go/white 

paper/messagelabs/vistamigration 



YOUR 

AVVY 

ASSISTANT 


L et your new assistant, Christan 
Humphries, point you to the hot¬ 
test articles in systems management, 
messaging, SharePoint, Office, net¬ 
working and hardware, security, and 
SQL. Here’s a section from one of her 
recent posts: 

Here are some suggestions from peo¬ 
ple who actually know what they’re 
talking about—and probably won’t be 
sarcastic like me: our subject matter 
editors. 

Mobile and Wireless 

Assistant Editor Megan Bearly, whose 
specialty is mobility, chose “More 
BlackBerry 4.0 Tips and Tricks” 
(instantDoc ID 50169). Megan 
wants you to know about this article 
because “the author talks about 
sources of valuable data relevant 
to BlackBerry administration. This 
article is helpful because it goes over 
steps that BlackBerry administra¬ 
tors can take to manage their users’ 
BlackBerrys.” 


Group Policy 


Associate Editor Caroline Marwitz, 
our AD expert, wants you to know 
about a great article: “Troubleshoot¬ 
ing Group Policy,” by Darren Mar-Elia 
(InstantDoc ID 92759). Caroline says, 
“Group Policy has so many moving 
parts that there’s always room for 
something to go wrong. That’s why I 
recommend Darren’s article: It offers 
a quick, step-by-step guide that helps 
you troubleshoot Group Policy.” 


http://www.windowsitpro.com/blog 
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Are local Administrator accounts 

liebermansoftware setting you up for a fall? 



DOWNLOAD A FREE EVAL! 


www.liebsoft.com/rpm 


Microsoft 


BOLD CERTIFIED 


1 - 800 - 829-6263 

sales@liebsoft.com 

(01)310.550.8575 


LEARN 

MORE! 


Sharing a common password 
across local Administrator accounts 
endangers your networked systems! 


The convenience of using the same local administrator password 
on all your systems comes with a serious downside. If a user cracks the 
password on just one machine, he or she instantly gains peer-level access to your 
entire network. Manually setting, changing, tracking, and auditing these passwords is 
prohibitively difficult — but there is a solution. NEW Random Password Manager 3.0 
gives you the power to easily, dynamically, and automatically manage local administrator passwords. 
Stop the chain reaction before it starts. Get Random Password Manager 3.0 today! 


© Creates unique, cryptographically © 

complex passwords across the 
enterprise. ^ 

© Retrieves passwords on demand 

through a secure web interface. 

© Re-randomizes recovered passwords © 

after a fixed period of time. 

© Supports Windows, Unix, Linux, and SQL 

Server password randomization. 


Eliminates the need for Vista users to 
contact Help Desk when UAC requests 
administrator credentials. 


Sets up easily; scales from small to 
large environments with no agents 
needed. 


Issues temporary administrator 
privileges to delegated users. 


2007 Lieberman Software Corporation. All other trademarks are the property of their respective owners. 









IT Pro Perspective 


Open Source Support: 

What’s in It for Microsoft? 

Maintaining a widespread Microsoft skill set is the competitive edge 


Y es, Microsoft takes Google seriously as a competi¬ 
tor, especially in light of the recent release of the 
Google Apps office productivity suite. But I keep 
coming back to Bill Gates's repeated assertion that not 
Google and not Linux, but rather IBM is Microsoft's most 
serious competitor. I believe him. Microsoft's business is 
built around ease of use. The company's stack of OSs and 
applications has a large customer base that has acquired 
Microsoft-specific technical skills. IBM's business is built 
around a services model, with consultants who can deploy 
and support any systems, no matter how difficult to use they 
may be. And IBM is out there busily seeding Linux solutions 
in businesses. If IBM's consultants were able to neutralize 
Microsoft's competitive advantage of relying on an estab¬ 
lished industrywide Windows-based skill set, Microsoft 
could end up watching its business dwindle. 

This idea of IBM's potential threat to Microsoft's domi¬ 
nance came to mind during a conversation about Micro¬ 
soft's reinvigorated commitment to interoperability. I was 
talking with Jean Paoli, Microsoft's general manager of 
Interoperability and XML Architecture. Jean emphasized 
the company's focus on a structured approach to support¬ 
ing mixed environments. One passing statement of Jean's 
stuck in my head. He said, "Microsoft delivers interoper¬ 
ability by design, building bridges to competitors and 
partners—by design, as opposed to having a lot of consulting 
services coming in and connecting the different systems 1 ! 

I added the emphasis in the last phrase because I believe 
it's at the heart of Microsoft's interoperability strategy, as 
well as its overall strategy as a company. (For example, this 
approach echoes the point of the Dynamic Systems Initia¬ 
tive—DSI—a companywide priority for making Microsoft 
products easy to manage by leveraging IT knowledge.) So 
what is this new structured approach to provide interoper¬ 
ability by design? 

Connect People, Data, 

Diverse Systems 

Jean told me that Microsoft's customers consider interoper¬ 
ability, which he defined as "connecting people, data, and 
diverse systems," to be as important as security and privacy. 
To address interoperability's importance, Microsoft's new 
structured approach revolves around four "tool sets." 

Product. Jean described this tool set as making sure that 
"the way we build products incorporates the interoperabil¬ 
ity dimension." ("Interoperability dimension" refers to all 
Microsoft interoperability functionality.) 

Community. Jean said this tool set is about "how we 


work with partners, competitors, and customers" to build 
those bridges to competitors and partners. An example is the 
Interoperability Customer Executive Council, which has the 
purpose of understanding "the core scenarios that custom¬ 
ers care about." When I asked about Microsoft's agreement 
with Novell, Jean said, "In October 2006 we announced 
the Interop Vendor Alliance, a global, cross-industry group 
of software and hardware vendors that work together to 
identify opportunities for enhancing interoperability with 
Microsoft systems on behalf of their customers. This is away 
for Microsoft to work with companies like Novell. Red Hat 
just joined. We now have almost fifty partners." 

Access. Jean said this tool set allows partners, competi¬ 
tors, and customers to use "some intellectual property and 
some technologies that Microsoft created" to enable interop¬ 
erability in their technologies and connect to Microsoft's 
solutions. An example is the Open XML Translator project, 
to "create tools to build a technical bridge between the Office 
Open XML formats and the OpenDocument Format (ODF)." 
Jean said, "This is very practical because we know some 
governments in the world require interoperability here." 

Standards. This tool set gives Microsoft a voice in deter¬ 
mining which industry technical standards are adopted. 
By participating in industry standards bodies, Microsoft 
can help ensure that the company's products are viable in 
markets that require interoperability (e.g., governments). An 
example is the December 2006 announcement that Ecma 
International approved the Office Open XML format as a 
standard. Jean said, "Novell is implementing this standard in 
Open Office. With Open XML, we implemented this in Office 
2007 (and earlier versions by means of a free update)." 

Jean concluded, "What's really important is that we're 
taking this very structured approach with those four tool 
sets to go back to basics, understand the practical customer 
needs, and resolve them." 

Building Interop Skills 

By designing interoperability into its products as well as its 
business strategy, Microsoft is providing its customers with 
new Microsoft skills and reducing the need to call in that 
army of consultants. Doing the right thing for customers is 
always a way to improve a company's competitive position. 
To help you address interoperability and gain some of those 
skills, we've created a new Web site, http://www.techxworld 
.com/community/default.aspx. Please contact me or our 

interoperability editor, Lavon Peters (lpeters@windowsitpro 
.com), with topic ideas and article submissions. ^ 

InstantDoc ID 95352 
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Windows IT Pro and SQL 
Server Magazine and for¬ 
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Know? 


Get the complete picture of 
interoperability at TechX. 
Learn what’s realistic and 
doable today and what 
isn’t. Coming to New York 
City on May I; Washington, 
DC, on May 3, with a 
bonus government market 
track; and San Francisco 
on May 8, with a bonus 
Mac track (http://www 
.techxworld.com). 
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ADVERTISEMENT 


Maximum System Performance 

Getting to the Bottom of Common Reliability Problems 


A s an IT Professional, you know 
the importance of maintaining 
system performance and 
reliability. If the desktops or servers 
crash, slow down or freeze, who gets 
called? That's right... you or your IT 
staff. This "break-fix" cycle leaves you 
little time to be proactive. And yet, 
many of these issues stem from a 
single, hidden source. 

Reliability issues commonly 
traced to disk fragmentation. 

The most common problems caused 
by file fragmentation are: 

• Crashes and system 
hangs/freezes 

• Slow boot times and 
boot failures 

• Slow backup times and 
aborted backup 

• File corruption and data loss 

• Errors in programs 

• RAM use and cache issues 

• Hard drive failures 

Having files stored contiguously on 
the hard drive is a key factor in keeping 
a system stable and performing at peak 
efficiency. The moment a file is broken 
into pieces and scattered across a drive, 
it opens the door to a host of reliability 
issues. Even a small amount of fragmen¬ 
tation in your most used files can lead 
to crashes, conflicts and errors. 

(GET THE PROOF HERE: 
www.diskeeper.com/paper2) 

The weak link in 
today’s computers 

The disk drive is by far the slowest of 
the three main components of your 
computer: CPU, memory and disk. The 
fastest CPU in the world won't improve 
your system's performance if the drive 


From Diskeeper Customer Survey—Read 
survey at: www.diskeeper.com/survey 

is fragmented, because data from the 
disk simply can't be accessed quickly 
enough. 

Is real-time, automatic 
defragmentation needed in 
today’s environment? 

More than ever! Large disks, 
multimedia files, applications, operating 
systems, system up-dates, virus 
signatures—all dramatically increase the 
rate of fragmentation. Fragmentation 
increases the time to access files for all 
common system activities including 
opening and closing Microsoft 8 Word 
documents, searching for emails, 
opening web pages and performing 
virus scans. To keep performance at 
peak, fragmentation must be eliminated 
instantly. 

Advanced, automated 
defragmentation 

Maintaining systems can be a 
daunting task—maintenance, including 
regular defragmentation, must take 
place regularly to keep them running at 
peak levels. However, with constant 
uptime required, scheduling such 
processes to run at the right times can 


be tricky, since while running 
they pose a considerable drain 
on system resources. 

Diskeeper 2007 marks the 
end of scheduling, and the 
beginning of REAL TIME, on- 
the-fly maintenance of systems. 
Never again worry about dips in 
performance or straining 
valuable system resources— 
even when demand is at its 
absolute highest! 

Customers agree Diskeeper 
maintains the performance 
and reliability of their desk¬ 
tops and servers, reducing 
maintenance and increasing 
hardware life. 

“We run [Diskeeper] on our 
client PCs as well as our 
servers... with Diskeeper 
running daily, we can keep 
file performance at 
peak efficiency.” 

Tom Hill, CDR Global, Inc. 

Every system you manage needs 
Diskeeper for enhanced file system 
performance—automatically! 

Diskeeper 

Enhancing File System Performance ™ 2007 

— Automatically!™ 


Special Offer 


Try Diskeeper 2007 FREE for 45 days! 

Down load: www.diskeeper.com/win7 

(Note: Special 45-day trialware is 
only available at the above link) 

Volume licensing and Government / Education 
discounts are available from your favorite 
reseller or call 800-829-6468 code 4412 


Top 5 reasons customers use Diskeeper 
Performance and Reliability 


83% 


Automatic operation 


83% 


Much superior to built-in defragmenter 


44% 


Longer systems life with less maintenance 


44% 


Fast backups and antivirus and/or spyware scans 


35% 


the full 
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Secure Communication 
Drives Business Success 

Microsoft® Exchange™ Server 2007 running on Dell 
PowerEdge™ servers delivers a comprehensive, 
completely integrated end-to-end unified messaging 
solution - from the user to the datacenter. 

Dell brings together aspects of a messaging 
environment-networking, servers, storage, services, 
tools and support - in one easy-to-use, cost-effective 
solution to reduce risk and increase performance and 

Rigorously tested and validated, it can dramatically reduce the costs and complexity of managing messaging environments. 
And since it is from Dell, you get scalable solutions built on standards-based products, and confidence in moving your 
business forward. 
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end-user productivity. 


Microsoft* 

Exchange Server 2007 


For more information, contact your sales representative or 
visit www.dell.com/exchange 


D9U. 


Dell and PowerEdge are trademarks of Dell Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. Other trademarks and trade names may be used in this document to refer to either the 
entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others. © Copyright 2007 Dell Inc. All rights reserved. Reproduction in any manner 
whatsoever without the express written permission of Dell Inc. is strictly forbidden. For more information, contact Dell. 
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Exchange 2003 or 
2007: How to Choose? 

I read Karen Forster's IT Pro Perspec¬ 
tive: "The Value of Vista, Office, and 
Exchange" (January 2007, InstantDoc 
I D 94455) and have a few questions 
and comments. I'm currently the 
administrator in a Novell Group Wise 
shop. I'm putting together a plan to 
change our messaging infrastructure 
to Exchange. Should I go to Exchange 
2003 or Exchange 2007? My manager 
and I have some concerns about 
upgrading to a new Microsoft prod¬ 
uct early in its life cycle, but I also 
have concerns about upgrading now, 
then again in two or three years. I 
don't plan to roll out Vista in our 
environment for at least 18 months, 
but I'm considering the upgrade to 
Office 2007 by the end of this year. 

What do I gain by upgrading to 
Exchange 2007 in this plan? Would it 
be better for me to go with Exchange 
2003 now, migrate our users to Office 
2007, then upgrade to Exchange 
2007? What about administration 
of Exchange 2003 versus Exchange 
2007? I know administration is dif¬ 
ferent between the two Exchange 
systems, but is it so different that it 
would require a lot of training to go 
from 2003 to 2007? 

At this time, there doesn't appear 
to be a lot of third-party support for 
Exchange 2007.1 know that will hap¬ 
pen in the future, but I may need it 
in the short term. I've talked to small 
local integrators along with large 
firms like EMC and Dell. After talk¬ 
ing to these companies, if I decide 
to deploy Exchange 2007 in the next 
couple of months, it looks like I'll be 
one of the first to deploy Exchange 
2007. What kind of support can I 
count on? Is Microsoft support ready 
for this? 

—Bill Baltas 

Bill, you've asked some great ques¬ 
tions. I could write an article on this 
topic, but let me give you some basic 
answers here. 

• It doesn’t make sense to upgrade 
now and then again in a year or two; 


doing so requires extra effort on your 
part. Better to do it only once, even if 
that means waiting a while. 

• Administration between Exchange 
2007 and 2003 differs a good bit, but 
many things are easier and better in 
Exchange 2007. If you're not already 
familiar with Exchange, you prob¬ 
ably will need 
training but 
that is true 
with either 
version. 

• It's true 
that some third 
parties aren't 
ready to sup¬ 
port Exchange 
2007yet. This is 
incomprehen¬ 
sible, given how 
long the public 
beta was avail¬ 
able. Now is a good time to examine 
the third-party products you use and 
to evaluate whether they're right for 
your needs. 

• Upgrading buys you lots of things. 
Windows IT Pro has published many 
articles that describe all the new fea¬ 
tures. (For example, see “Exchange 
Server 2007New Features," Instant- 
Doc I D 94501; and "Surveying 
Exchange Server 2007," InstantDoc ID 
50052. ) 

• Finally, Microsoft has been using 
Exchange 2007 internally for more 
than a year, as have a number of 
other companies participating in 
Microsoft's Technology Adoption Pro¬ 
gram (TAP). Microsoft's support folks 
are ready. 

—Paul Robichaux 

More Antispam Solu¬ 
tions for Business 

Regarding your Buyer's Guide: "Antis¬ 
pam Solutions for Business" (January 
2007, InstantDoc ID 94326) , I wish 
you'd taken a moment to consider the 
other very significant free tool used to 
combat spam. A section in the article 
that highlighted Sender Policy Frame¬ 
work version 1 (http://www.openspf 


.org) would have been a great addi¬ 
tion. 

If you want to make a serious 
dent in spam, start preaching SPFvl! 
Start addressing all those domain 
name registers and ISPs that allow 
DNS records without any SPFvl 
information to protect 
the registered domain 
name they have taken 
responsibility for. Their 
irresponsible attitude 
toward providing 
SPFvl records in DNS 
is the reason we have 
the amount of spam 
we do. I'd look for¬ 
ward to an article 
about SPFvl. 

I'd like to add 
another antispam 
solution to your 
list: an SMTP proxy called 
eWall from Innovative Communica¬ 
tions (http://www.sssolutions.net/ 
ew). I've installed eWall in five loca¬ 
tions, and it's a highly effective and 
customizable solution. I've used sev¬ 
eral of the products that your Buyer's 
Guide lists and have dumped them 
all for eWall. 

—Johan Pingree 

Slipstreaming 
Windows XP 

I want to thank you for Paul Thur- 
rott's online article "Slipstreaming 
Windows XP with Service Pack 2 
(SP2)" (http://www.winsupersite 
.com/showcase/windowsxp_sp2_ 
slipstream.asp). For the many of u s 
who are taking the plunge and run¬ 
ning XP on a Mac, this information is 
invaluable. The instructions are very 
clear, and unlike a lot of guides that 
have screen shots, everything looked 
exactly like what was happening on 
my machine. This is comforting for 
someone like me, who can follow 
instructions but has no idea what the 
steps I'm taking are actually doing. 
Great site. ^ 

—Tom Lynham 
InstantDoc ID 95380 



EDITOR’S 

NOTE 

Windows IT Pro welcomes 
feedback about the maga¬ 
zine. Send comments to 
letters@windowsitpro.com, 

and include your full name, 
email address, and daytime 
phone number. We edit all 
letters and replies for style, 
length, and clarity. 


Oops 

The caption accom¬ 
panying the photo¬ 
graph of a What's 
Hot contributor in 
the March 2007 
Table of Contents 
incorrectly identified 
the contributor. The 
reader in the photo 
is Alexis Laliberte, 
technical consultant. 
We apologize for 
any inconvenience 
this error might have 
caused. 


www.windowsitpro.com 
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Paul Thurrott 

(thurrott@windowsitpro 
.com) is the news editor fo r 

Windows IT Pro. He writes 
a weekly editorial for 
Windows IT Pro UPDATE 
(http://www.windows 
itpro.com/email) and a 
daily Windows news and 
information newsletter 
called Winlnfo Daily 
UPDATE (http://www 
.wininformant.com). 


“ifYoii o 

Know: 


Paul provides an in-depth 
review of Vista’s new 
security options at the 
SuperSite for Windows 
(http://www.winsupersite 
.com/reviews/winvista_ 
05b.asp). 
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What You Need to Know About... 

Vista’s User Account Control and 
BitLocker Drive Encryption 


T he new security features in Windows Vista will 
directly impact the lives of IT pros and administra¬ 
tors (and not always in a purely positive manner). 
By all accounts, Microsoft has made Vista the most secure 
Windows version ever produced, yet many industry ana¬ 
lysts believe that these security features can tend to over¬ 
whelm the user, and that even the most secure Windows 
version ever could stand some additional hardening. This 
is the first of several articles that will address what IT pros 
need to know about Vista security. 

What We’re Not Discussing 

When it comes to new software, it's hard not to focus on 
the bits that show up obviously in the UI. In Vista, these UI 
baubles include items such as Windows Security Center, 
Windows Defender, Windows Firewall, parental controls, 
Internet Explorer (IE) 7.0 Protected Mode, Windows Update, 
and Automatic Updates. Because a discussion of these fea¬ 
tures is decidedly high-level 
and youll almost certainly 
read about them elsewhere, 
we're going to ignore them 
for the time being and con¬ 
centrate instead on more fun¬ 
damental, low-level security 
technologies that will regu¬ 
larly impact your job. 

User Accounts 
and UAC 

Like previous Windows ver¬ 
sions, Vista utilizes user 
accounts to determine which 
tasks users are allowed to per¬ 
form and which computer 
resources they are allowed 
to access. Earlier versions of 
Windows included four basic 
user account types. From 
most restrictive to least restric¬ 
tive, these account types were 
Guest, Standard User, Power 
User, and Administrator. In 
Vista, the Power User account 
type, essentially a compro¬ 
mise between Standard User 
and Administrator, has been 
removed, and all account 
2007 


types—including Administrator—are now locked down 
more securely than ever before. The result is a simpler, more 
manageable group of user account types. 

Vista's changes to user account features all seem to have 
been implemented with an eye toward better security. At 
first glance, the default admin-level account, Administrator, 
seems to have disappeared. However, it's just hidden and 
can be activated if you think you really need it. But the first 
account you create for any Vista installation is an admin¬ 
istrator-level account, so you really don't need to activate 
Administrator. In fact, it's best to leave it hidden since, by 
default, it doesn't have a password. 

The most substantial change to user accounts is User 
Account Control (UAC). Although it's the most reviled fea¬ 
ture Microsoft has added to Vista, UAC is, in my opinion, 
one of the most important changes in the new OS. Essen¬ 
tially, UAC allows Vista to be as locked down and as secure 
as possible in its default running state. However, any time 


Summaries of in-depth product 
reviews on Paul Thurrott's 
SuperSite for Windows 
http://www.winsupersite.com 

VISTA SECURITY 

PROS: Windows Vista includes major security enhancements over Windows XP. 

CONS: Security in Vista is still baseline only, no antivirus capability included; it’s unclear how 
Vista will adapt to evolving threats. 

RECOMMENDATION: Vista has been developed from the ground up to be more secure and 
includes many low-level and user-oriented security features. However, Vista still doesn’t 
include every protection users or businesses require. There’s no antivirus solution in 
Vista, for example, and some of Vista’s security features—such as Windows Firewall and 
Defender—aren’t robust. 

CONTACT: Microsoft • 800-426-9400 • http://www.microsoft.com 

FULL REVIEW: http://www.winsupersite.com/showcase/winvista-security.asp 

VISTA ULTIMATE EXTRAS 

PROS: Unlike previous Plus! packs, some Extras are actually useful, even to enterprises 
CONS: Not available without purchasing Windows Vista Ultimate; ought to be made available 
to other Vista users at added cost 

RECOMMENDATION: To provide further advantage to customers who purchase the most 
expensive Vista version, Vista Ultimate, Microsoft has added a new set of downloads, dubbed 
Windows Ultimate Extras. For now, the only compelling Extra is the Windows BitLocker Drive 
Preparation tool, a wizard-like utility that automates adding BitLocker protection to your 
system. 

CONTACT: Microsoft • 800-426-9400 • http://www.microsoft.com 

FULL REVIEW: http://www.winsupersite.com/reviews/winvista_ultimate_extras.asp 

InstantDoc ID 95160 
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the user requests an application, a setting, the 
Control Panel, or any feature that could affect 
the system state, Vista displays a consent dia¬ 
log box—a modal window that appears over a 
grayed-out version of the current desktop. You 
must deal with this dialog box before you can 
continue working—thus my use of the word 
"reviled" above: It's extremely annoying. What 
you see will vary slightly depending on the type 
of user account you're using. 

Consider the pre-Vista days: In Windows 
XP, users with an admin-level account could 
do anything, including trashing system files. 
Standard users, meanwhile, could do very 
little—they couldn't even play most games. 
Thanks to UAC, Standard User is now com¬ 
pletely viable; anytime a Standard User tries to 
perform an admin-level task, the consent win¬ 
dow appears and requires the user to type the 
username and password for an Administrator 
account. 

What's interesting is that even Adminis¬ 
trator needs to deal with these UAC consent 
windows, though such users need only click 
a Continue button. For admin-level users, 
UAC is essentially an "are you really sure 
about that?"-type check, occur in the Secure 
Desktop (which you typically see when you 
press Ctrl+Alt+Del within XP or Vista) and are 
intended to prevent malware spoofing. 

Perhaps the most amazing thing about 
UAC is that it helps lock down Administrator 
accounts. Even when you log on as Administra¬ 
tor, Vista reduces your privileges. Administrator 
accounts typically run with the same privileges 
as Standard User. If you need to elevate your 
permissions temporarily, Vista prompts you 
with a UAC consent dialog box and elevates 
your permissions only for the task you're try¬ 
ing to perform. Most Vista actions that require 
elevated privileges display a small graphical 
shield to help you understand what's going to 
happen. In some cases, you can manually run 
certain tasks as Administrator. For example, 
you can right-click the command prompt in 
the Start menu and choose Run as administra¬ 
tor to run that application with elevated privi¬ 
leges. Moreover, you'll need to use this method 
if you expect to perform any admin-level tasks 
from the command line. (You can create short¬ 
cuts that always run individual applications as 
Administrator, but you still need to handle the 
UAC consent dialog box each time you use the 
shortcut.) 

On paper, UAC seems like a dream come 


true. However, most users will soon run afoul 
of this feature. UAC consent dialog boxes 
pop up quite frequently when you start using 
Vista—in other words, when you install appli¬ 
cations, configure features and settings, and 
generally make the system your own. After you 
start actually using Vista, UAC will annoy you 
much less frequently. 

OSs such as Apple's Mac OS X and Linux, 
which are based on UNIX code, also use UAC- 
like consent prompts. And because those 
systems typically require end users to use non- 
admin-type accounts for day-to-day work, 
they're even more annoying than UAC because 
they always require a password. Paranoid Vista 
users can configure UAC to always require their 
password, just like OS X and Linux. That's even 
more secure than the default configuration 
(although it's also more arduous to use). 

BitLocker Drive 
Encryption 

Given the number of corporate laptops lost to 
theft or forgetfulness each year, it's little won¬ 
der that the cost of replacing these machines 
is far outweighed by the value of the informa¬ 
tion stored on them. Nearly every month you 
can read a news story about someone who lost 
a laptop that contains private information for 
customers and clients, requiring a company 
to undertake an expensive and embarrassing 
public process to try to set things right. Laptop 
loss and theft can easily lead to identity theft, 
sometimes on a massive scale. The key to 
preventing this kind of information loss is to 
encrypt the data on the laptop, thus prevent¬ 
ing others from removing the machine's hard 
disk and accessing its contents. 

Windows NT-based versions of Windows, 
such as XP and Windows 2000, have included 
Encrypting File System (EFS) for years. EFS 
provides you the flexibility to encrypt individ¬ 
ual folders on your hard disk, ensuring that all 
the data they contain—including documents 
and other data files added after the folder is 
encrypted—are protected from prying eyes. 
EFS does its work with a minimal, impercep¬ 
tible performance hit, and the results have 
proven quite satisfactory. 

We'll look at Vista's improvements to EFS 
in Part 2 of this write-up next month, but Vista 
Enterprise and Vista Ultimate include an even 
more impressive encryption function called 
BitLocker Drive Encryption. BitLocker Drive 
Encryption automatically encrypts the entire 
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Windows volume (i.e., the partition on which 
the WINDOWS directory is located—typically 
the C drive) without requiring the end user 
to configure anything. Admins can easily roll 
out this feature to executives and others who 
travel with sensitive corporate data. 

But BitLocker doesn't stop there. You 
might remember that Microsoft's Next-Gener¬ 
ation Secure Computing Base (NGSCB—for¬ 
merly code-named Palladium) technologies 
were originally going to be a major part of 
Vista. Today, BitLocker Drive Encryption is 
one of only a handful of NGSCB-based tech¬ 
nologies that remain in the product. The 
NGSCB component of BitLocker works with 
Trusted Platform Module 1.2 hardware on 
the motherboard to ensure the integrity of 
key system components at boot time. This 
integrity check ensures that the BitLocker- 
protected hard disk hasn't been placed into a 
different PC, but it also helps prevent attacks 
that can occur at boot time before the OS is 
loaded. 

For those who don't have Trusted Plat¬ 
form Module 1.2-enabled hardware, Micro¬ 
soft offers a slightly less effective version of 
BitLocker that requires you to use a USB 
memory key instead. This version supplies 
all of BitLocker's disk encryption functionality 
but doesn't include the integrity checks. 

For the end user, BitLocker Drive Encryp¬ 
tion is a bit ponderous to install. You must 
reserve a second active partition of at least 
1.5GB in size on the laptop's hard drive. This 
volume won't be encrypted and will contain 
a few files needed for the PC to boot correctly. 
If you didn't partition your system correctly 
during initial setup, you'll need to find a Vista- 
compatible nondestructive partition utility 
that can do the job. Users of Vista Ultimate 
have access to a free extra called the BitLocker 
Drive Preparation Tool, which will perform 
this partitioning. Microsoft must think Vista 
Enterprise users are able to handle this kind 
of thing on their own. 

But Wait, There’s More 

We're far from finished discussing Vista's secu¬ 
rity features. Next month, I'll examine Vista's 
EFS improvements, file system and registry 
virtualization, service isolation, driver signing, 
and code integrity features, Address Space 
Layout Randomization, and security features 
you'll only see in x64 versions of Vista. ^ 
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From Unified Messaging to 
Unified Communications 

Exchange and Outlook, Live Communications Server, and Office Communicator 



Karen 

Forster 

(karen@windowsitpro 
.com) is editorial and 
strategy director for 
Windows IT Pro and SQL 
Server Magazine and for¬ 
mer director of Windows 
Server User Assistance at 
Microsoft. 


“ifYoii o 
Know: 


Microsoft and Nortel are 
working together on UC 
solutions. Learn more at 
http://www.microsoft.com/ 
presspass/press/2007/ 
jan07/0l-l7BusComm 
TransformationPR.mspx. 


A ccording to Microsoft's Zig Sarafin (general man¬ 
ager, Real-Time Collaboration), “In the last year, 
because we were using Live Meeting and doing 
more Web conferencing, Microsoft saved about $70 million 
on travel expenses." 

Although savings in a company's travel budget don't 
necessarily benefit IT budgets, Zig's implication is that if IT 
could save your company millions of dollars in travel costs 
this year, you could justify implementing a unified com¬ 
munications (UC) infrastructure. But even if IT could apply 
other departments' travel-cost savings to new technology, 
this month's 300 survey respondents say they'd need a bet¬ 
ter idea of the concepts, technologies, and benefits of UC 
before considering a UC implementation. 

Fifty-seven percent of respondents said they under¬ 
stood UC concepts and benefits, 29 percent had heard of 
it but weren't familiar with the concept or benefits, and 
13.7 percent didn't know about UC. Even many readers 
who said they understood UC were uncertain about how it 
differs from Unified Messaging (UM) and what role (if any) 
Exchange Server 2007 plays in a UC solution. Many survey 
respondents asked “What specifically is UC, and how does 
it save us time and money?" 

Expanding on UM 

“Often people think UM means UC,” Zig said. “In the 
survey, people said UC meant email and voicemail inte¬ 
gration," which is actually the basis for UM. Exchange 2007 
Enterprise Edition and Outlook 2007 let you access your 
voice and email messages from your Inbox. Zig noted, with 
these products you get “speech-recognition access to cal¬ 
endaring and to your corporate directory. For example, you 
can call Microsoft's main corporate number, ask for some¬ 
one, and the voice recognition system will route the call." 

Complementing the Exchange-based non-realtime UM 
platform is Live Communications Server (LCS), the founda¬ 
tion for UC. Zig explained, “To define UC, we start by looking 
at the different silos of business communications today: 
audio conferencing, PBX, Instant Messaging, email, voice- 
mail, video, mobile phones. UC is about breaking down 
those silos into one software experience that works on your 
PC, on your mobile device, on a telephone in your office. 
Instead of going to four or five different applications to reach 
a person, you go to one source of communication. Instead 
of trying to find a phone number for that person, you type in 
the name or look at your buddy list and see if they're avail¬ 
able. That is the beginning of unified communications." 


Like Exchange with Outlook, LCS works with “Office 
Communicator, which is a unified communications client. 
Communicator looks like an IM client. But you can also 
make calls from this client. It's a soft phone. Communicator 
is the user experience on the PC for Web, video and audio 
conferencing, making phone calls, doing IM, and being able 
to lookup users based on their availability." 

Lighting Up Presence 

The concept of availability, or “presence," is important for 
understanding UC. The exemplar of presence capability is 
IM: In your IM application, you can see whether a person 
you want to communicate with is online, busy, or acces¬ 
sible via a mobile device. UC extends this capability by 
accessing Active Directory (AD) information to provide 
presence data about all members of your organization for 
all your communications technologies. 

Referring to this month's survey data, Zig said, “I found 
a bit of irony. On the one hand, survey respondents have an 
issue with being able to reach people and wish they could 
know people's availability, or reachability. On the other 
hand, 65 percent of respondents' companies don't allow 
people to use IM." 

But Zig pointed out, “IM's presence capability hasn't 
been fully taken advantage of. Today, in the consumer IM 
experience, I can manually click on 'busy' or 'out to lunch.' 
But that's barely scratching the surface. What's interesting is 
when people deploy secure IM through LCS, integrated with 
AD. You can think about presence as 'lighting up' user iden¬ 
tity in a corporation's AD infrastructure. So any application 
that's integrated with AD can surface up the availability and 
reachability of someone" in the context of that application. 

For instance, Zig said, “If you type in a person's name 
anywhere in Office, using SmartTag resolution in association 
with AD, you can see the person's availability. If I'm in my 
office and typing away, the system knows I'm online. But if I 
integrate my phone system with presence capability and AD, 
when I go to a meeting, calendar information from Exchange 
tells the presence server that I'm not available and puts my 
phone on Do Not Disturb. That happens because everything 
is integrated with one source of presence, which is integrated 
with AD, the core identity system in a company." 

Integrating AD with presence has implications for 
systems management and security. “Surrounding pres¬ 
ence," Zig explained, AD provides “context on where users 
sit organizationally and their role in the company. You 
can instantiate policies with respect to what group I'm a 
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member of and what rights I have for access¬ 
ing other people's presence” 

So, Zig continued, "From within Outlook 
2007, you'll be able to receive an email and 
instantly respond with an IM. Groups and 
distribution lists in email are simultaneously 
supported in IM, so if you want to send a group 
IM, it's the same group distribution list as 
you're using in email. It also has implications 
for cross-network or cross-domain policies 
around users.” 

I commented that Microsoft recently 
moved the Exchange development team from 
the Server and Tools Division into the busi¬ 
ness organization responsible for Office and 
LCS and asked Zig whether the move might 
foreshadow a future merging of Exchange and 
LCS into one product. He replied, "They will 
remain distinct products, but from an evolu¬ 
tion standpoint, there's a reason why we have 
both products under a single business unit 
at Microsoft. We deeply believe that the two 
experiences have a lot of complementary syn¬ 
ergies, particularly with respect to rules, iden¬ 
tity, security, management, IT infrastructure, 
even the user experience and reachability." 


UC Components 

Zig explained what you need to get started 
with UM, "The application components are 
email, voicemail, IM, video and audio confer¬ 
encing, Web conferencing, and call manage¬ 
ment (the call control you typically have in a 
PBX). First, upgrade email [to Exchange 2007 
and Outlook 2007] and deploy LCS in parallel. 
Then get ready for Office Communications 
Server [OCS, which supersedes LCS]. If you 
upgrade Exchange and deploy LCS right away, 
Office 2007 lets you light up your AD with pres¬ 
ence capability. You won't get those things if 
you don't deploy both at the same time." 

I asked Zig to expand on OCS. "OCS is com¬ 
mitted to ship in the end of the second quarter 
of 2007. It's in beta now. OCS offers some 
interesting possibilities even from a SKU per¬ 
spective. For example, you get cell phone func¬ 
tionality today as part of LCS. But OCS will offer 
a separate SKU for that and will give you call 
management. Companies have a lot of Skype 
users, and people will be able to do secure VoIP 
calls and integrate with the corporate dialing 
plan, running off the same system they're run¬ 
ning their IM platform on. In addition, you can 


run SIP-based phone endpoints off it. You get 
that experience over a non-VPN environment. 
Just as when you're traveling and have access to 
Outlook using HTTPS-based login, you get the 
same experience with Communicator—not just 
for IM, but for voice and video." 

Justifying UC 

Surveyed readers were split on the value of 
deploying UC, to which Zig replied, "In some 
ways, email wasn't cost justified in the early 
90s, but it crept into the way people work. An 
interesting fact: The adoption rate of LCS cor¬ 
porate-grade IM today is similar to what we saw 
from 1997 to 2000 when corporations started 
standardizing on an email platform. Compa¬ 
nies are using IM as a productivity tool that also 
provides IM archiving capabilities so you can 
meet compliance requirements, deal with HR, 
have encrypted traffic, and do federation." 

Because 57 percent of readers surveyed 
requested articles on UC, we'll be writing about 
this technology in the near future. Let me know 
what you'd like to learn about UC. ^ 

InstantDoc ID 94924 
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New & Improved 


Blake Eno (products@windowsitpro.com) is product editor for Windows IT Pro 
and SQL Server Magazine. 

Increase Password Functionality 

Special Operations Software announced Specops Password Policy 2.0, 
a password policy system that can utilize your existing Active Directory 
(AD) and Group Policy infrastructure and increase password security 
within your organization. Specops Password Policy 2.0 maximizes the 
length requirement on passwords, automatically sends password expira¬ 
tion emails, and prohibits incremental passwords. Additional function¬ 
ality includes 64-bit domain controller (DC) support and automation 
through Windows PowerShell or .NET. You can download a free trial of 
Specops Password Policy on Special Operations Software’s Web site. 

416-849-5325, 866-857-5325 


Product Spotlight 


Vizioncore Streamlines VMware 

Are you managing a VMware deployment and finding gaps in 
functionality, particularly in the areas of backup and recovery, 
management, and migration? Vizioncore is seeing the same problems 
over and over again in VMware deployments and has developed a 
strong, strategic partnership with VMware to fill those functionality 
gaps. We recently spoke with Chris Akerberg, vice president of 
global sales for Vizioncore, who told us how his company leverages 
the power of Linux to develop easy-to-use, intelligent software to 
enhance VMware and solve real-world problems. 

Vizioncore developed four products that you can buy separately 
or bundled. The first, esxRanger Professional ($499 per CPU socket 
on the VMware host), provides VMware image backups with nightly 
differentials and file-level restores with seamless VMware consoli¬ 
dated backup (VCB) integration. The second, esxCharter ($299 per 
CPU socket on the VMware host), provides simple monitoring and 
management of the complete virtual environment, letting IT depart¬ 
ments accurately and easily charge for resource utilization. The third, 
esxReplicator ($399 per virtual machine—VM), provides real-time 
replication of entire VMs, affording small-to-midsized businesses 
(SMBs) high-availability options. The fourth product, esxMigrator 
($1,000 for 25 VMs, $2,500 for 100 VMs, $7,500 for an unlimited 
enterprise license), fully automates and limits downtime of VMware 
migrations from ESX 2.x to VI3. You can buy the first three compo¬ 
nents bundled for significant savings. 

Vizioncore is currently devoted to enhancing the VMware experi¬ 
ence, but it’s not turning a blind eye to other platforms. The com¬ 
pany is watching the market closely. 

www.vizioncore.com 
847-589-2222, 866-260-2483 



Make Faxes Within 
SharePoint Portal Server 
Text-Searchable 

FaxCore announced the FaxCore SharePoint 
Connector, which makes faxes text-searchable in 
Microsoft SharePoint Portal Server by enabling fax 
indexing through Optical Character Recognition 
(OCR). FaxCore SharePoint Connector can deliver 
faxes into designated SharePoint Document 
Libraries, then configure the Document Libraries 
to allow specific users to view, edit, download, or 
delete faxes from each folder. Each time a fax doc¬ 
ument is modified within SharePoint Portal Server, 
an audit trail is created so you can see who made 
the changes and track the changes. 

www.faxcore.com, 720-870-2900 





Deploy the 
Compatibility 
Pack for Office 
2007 

IS Decisions announced 15-day 
RemoteExec licenses (start¬ 
ing at $0.22 per target system) 
to allow organizations using 
Office XP/2003/2000 to rapidly 
deploy the Microsoft Compatibility Pack for Office 
2007 RemoteExec can deploy the Compatibility 
Pack remotely without the use of agents or prior 
manual intervention on targeted systems and will 
log any systems on which the deployment failed. 
This log information can be used to generate a 
subsequent deployment pass. Additional function¬ 
ality includes the ability to add, modify, and delete 
registry keys and to install patches, hotfixes, and 
service packs. For a full list of RemoteExec’s func¬ 
tionality, or for additional support regarding the 
Microsoft Compatibility Pack for Office 2007 visit 
the IS Decisions Web site. 

www.isdecisions.com 
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Keeping Users Connected. 



very aspect of life involves risk. From 
our first breath of life until our last, 
there are all sorts of potential obstacles 
that can interrupt or terminate our mortal 
lives, our careers, our family situations, and so 
on. Some of the risks we face are under our 
control, and some are not. We can follow a 
variety of strategies to try to understand and 
manage the risks we face in various areas, and 
the IT field is no exception. 

In general, most IT professionals understand 
the basic concepts of risk management, even 
though they may not have been exposed 
to formal training. However, two things are 
happening in the IT field: the number of 
potential risks is growing, and the impact of 
some risks is increasing rapidly. Given these 
two changes, it may be time to consider 
changing the way you evaluate and protect 
against risks to your IT operations, and those 
changes begin with understanding some 
essential aspects of risk management. 

Risk, Threats, and Loss 

The easiest way to start understanding IT 
risk management is to learn three vocabulary 
words: 

A risk is the probability that something bad 
will happen. Examples include damage to your 
data center, extended downtime, or the loss of 
a critical person on your IT team. 

A threat is what turns the risk from a 
probability into an actuality. Threats include 
natural disasters, fires, civil disturbances, 
malicious attacks, and pretty much any 
other action (or inaction) that can cause an 
interruption of service in your IT operations. 
A loss is what happens to you when a risk 
becomes a reality. 

Threats and risks always come in pairs; if 
there’s no threat, then there’s no risk, and vice 
versa. For example, there is a theoretical risk 
that Godzilla might attack your data center. 
However, since Godzilla doesn’t really exist, 
he’s not a threat, and thus there’s no actual 
risk to you. Of course, unlike Godzilla, the 
many risks IT professionals face are real. How 
can you decide which ones to worry about? 

A good place to start is with your users. In 


a typical IT shop, your day-to-day focus is 
on providing services that help your users 
accomplish whatever it is they do. Having high 
service or system availability is a means to that 
end; if users can’t get their work done because 
of a problem with one part of your system, it 
doesn’t matter how available your messaging or 
database servers are! 

Simple Risk Calculations 

There’s a whole branch of human knowledge 
known as actuarial science, but for our purpose 
we’ll use a more simple method by employing 
two factors to calculate risk. 

The first factor is the probability that a 
particular event will happen. For example, 
what is the likelihood that your data center 
will suffer a catastrophic weather event 
or fire in the next five years? What is the 
probability that your storage system will fail 
during working hours in the next two years? 
Calculating or identifying these probabilities 
can be a little tricky, since humans are 
notoriously bad at estimating risks themselves. 
To see this principle at work, ask someone 
you know what they estimate to be the risk of 
death in a commercial airline accident versus 
the risk of dying in an automobile accident, 
then compare them to the actual risks shown 
at the National Safety Center (http://www. 
nsc.org/lrs/statinfo/odds.htm) which says the 
odds are 1-in-84 for car crashes versus 1-in- 
5,051 for an airline crash. Whenever possible, 
you should use validated statistical data for 
your probabilities; you can find this data from 
a variety of sources, including your business 
insurance company. 

The second factor is the expected loss if the 
event does occur. Here you’re much better 
positioned to come up with accurate data 
for your particular situation. For example, 
you should already know the expected loss if 
your data center were to be unavailable for a 
week. If you don’t know what the expected 
losses are for these kinds of events, you need 
to find out because knowing the expected 
loss helps you better understand which risks 
really need to be mitigated. The most serious 





risks aren’t always the most obvious ones. In 
order to accurately estimate the expected 
loss, you have to decide on the measurement 
basis you’ll use. The loss basis might include 
the replacement cost of data or systems, the 
direct cost of not being able to take orders 
or do other business, and the indirect cost 
of downtime caused by idling your workers. 
An hour of downtime that affects 100 people 
is actually 100 hours of downtime, and you 
should estimate that hour’s cost accordingly. 
That’s part of the reason why focusing on 
risks that affect the end user’s experience is so 
important. 

Given that you know these two factors for 
a particular risk, you can multiply them 
together. That gives you a score for a particular 
event that takes into account both how likely 
it is to happen and how much it will cost 
to repair or recover if it does happen. You’ll 
find that the probability and impact numbers 
will help you understand which risks are the 
most damaging. For example, there are a few 
low-probability but very-high-impact events 
that you might want to consider planning 
for, like an outbreak of avian flu and a few 
high-probability but low-impact events like 
losing one or two disks in a storage enclosure 
that you’ve probably already planned for. In 
between, there are a whole constellation of 


medium-probability risks whose impact will 
vary according to their nature, the line of 
business you’re in, and the adaptability of your 
organization. Remember that users depend on 
a whole chain of interrelated systems; if one 
link in the chain fails, the end result—user 
downtime—is the same, no matter which link 
was actually at fault. 

Most IT shops face medium-probability, 
medium-impact risks fairly often. Consider 
how often you have power outages, loss of 
Internet connectivity, application performance 
problems, data corruption or other events that 
can prevent your users and customers from 
using the systems you provide; it’s likely that 
this happens often enough to take up a major 
share of your planning time and budget. 

Mitigating Risk 

Now that you understand how to calculate 
a simple score to quantify risk, you need to 
understand the tools that are at your disposal 
to reduce your exposure to risk. This process 
is known as risk mitigation, and there are 
essentially four ways that you can mitigate a 
given risk. 

First, you can avoid the risk. People do this all 
the time in the real world: if you don’t want to 
take the risk of being injured while 
skydiving, you don’t go skydiving. 
Unfortunately, most of the risks 
we face in the IT world cannot be 
completely avoided; the only way to 
avoid them is to not use computers 
in your business. 

Second, you can reduce the risk. 

Risk reduction is why people take 
backups of their critical servers; 
having a backup greatly reduces 
the risk that a failure will lead to 
extended downtime. The degree to 
which you can reduce a particular 
risk will vary according to the nature 
of the risk and the kind of protective 
measures you have at your disposal. 








This measure is a little misnamed, since it doesn’t 
reduce the risk itself but rather its impact. 

Third, you can transfer the risk. If you have car or 
homeowners’ insurance, you already understand 
this mitigation method. As with risk reduction, 


transfers don’t eliminate the risk, but they shift 
the impact (and cost) to another party. In an IT 
context, you might buy insurance to protect 
against financial losses caused by certain types 
of events, or you might rely on a service-level 
agreement with an outside entity to cover your 
losses if they fail to deliver services as promised. 

Fourth, you can retain the risk. This basically 
means that you accept the potential for loss. 

More precisely, it means that you accept that 
your attempts to avoid, reduce, or transfer the 
risk may result in some residual loss (like the 
deductible on a car insurance policy), and you 
budget and plan accordingly. 

For downtime, the mitigations that make the 
most sense are to avoid it (by building continuity 
and redundancy in to your environment) and 
reducing it (by taking traditional steps like 
implementing backups.) 

Risk Management and You 

So what does all this actuarial talk have to do 
with you? It’s simple; in your environment, 
you will almost certainly have to focus on risk 
reduction. Why? First, the biggest risks your 
company faces, like extended downtime, virus 
outbreaks, or security penetrations by a malicious 
insider, aren’t really subject to avoidance. Second, 
if you rely on transferring the risk, you’re not 
doing anything to protect your operations, only 
to reduce the financial impact if a threat affects 


your operations.Third, risk retention is what you 
get when you can’t eliminate the impact or the 
risk through the other three methods—retained 
risk is the default when you don’t provide 
sufficient avoidance. 

In that context, risk 
reduction suddenly 
becomes very important 
because it’s the primary 
means of lowering the 
chance that you’re going 
to face a substantial loss. 
The reduction process 
can itself be subdivided 
into two parts: preventive measures that attempt 
to keep a threat from having an impact and 
reactive measures that attempt to reduce the 
impact after a threat becomes real. 

Preventive Measures 

For most businesses, the first measure that comes 
to mind is backup. It’s true that having a well- 
tested, mature backup process is a critical step 
that can really save you, but it’s not a preventive 
measure! Backups alone don’t proactively protect 
you from anything. Chances are good that you’re 
already taking some preventive steps, though. For 
example, if you have antivirus software running, 
that’s a preventive measure, as is the use of 
strong password policies or clustering. Ffowever, 
measures that focus on the recovery time or 
recovery point often miss the point: if you can 
avoid downtime in the first place, you’ll be better 
off than if you have to suffer an outage but can 
execute a fast restoration. 

Many of the things we do in the context of 
IT security and high availability are preventive 
measures, but how do you decide which 
preventive steps make sense? The answer comes 
from the risk-scoring method I described earlier. 
You start by making a list of potential threats and 
the risks associated with them, then calculating a 
risk score for each one.You can then use the risk 
score to rank specific threats and figure out which 
ones you need to mitigate first based on how 
severe the risk is (e.g., how it scores) and how 


Most IT shops face 

medium-probability, medum-impact risks 

fairly often. 





much it costs to mitigate. For example, if you have a 
high-impact, low-probability risk that costs $1,000 
to defend against, you might decide that the money 
is better spent mitigating two medium-impact, low- 
probability risks (or you might not; it depends on 
your company’s internal tolerance for risk). 


Many organizations augment their preventative 
measures with technologies like multi-site 
data replication or clustering precisely because 
these technologies help reduce the impact of 
a failure that should have been, but was not, 
prevented. Keeping a live copy of your data 
at a remote site gives you an effective way to 
react to a variety of risks, including physical 
damage to the data center, widespread loss of 
connectivity, or major hardware problems—all 
risks that you may not effectively be able to 
prevent, transfer, or retain. In that light, extended high 
availability solutions can be an extremely valuable 
part of your risk management planning because they 
give you a way to continue operations even after your 
prevention has failed. 


assume that every restore will be 100% 
successful (and if it does, it shouldn’t!) 


CONCLUSION 


As part of this process, you may find it helpful 
to survey the actual types of data you’re thinking 
about protecting and how they’re used.You can 
do this using assessment tools that measure the 
type and volume of data that your network is 
using; these tools can be used to help measure 
and analyze the pattern of file activity on your 
network to help you understand what the actual 
impact of a loss might be. Analysis tools which 
automatically and unobtrusively monitor the on¬ 
going health of your server environment both 
pre- and post-installation, gather vital information 
about performance, workload, bandwidth usage 
and other critical factors are extremely helpful in 
taking preventative measures and reducing your 
level of risk. 

Reactive Measures 

“Reactive” is often a dirty word because it implies 
passivity. However, in this case, it’s a good word: 
it means risk reduction measures that attempt to 
reduce the impact side of a risk. No technology is 
100% effective, so your risk management planning 
should definitely assume that your preventative 
measures might not completely insulate you from 
a particular threat. Backup is a great example; your 
backup and restore planning probably doesn’t 


Your risk mitigation measures should ideally 
focus on making sure that your users maintain 
uninterrupted access to the applications and data 
they need to work. This requires you to take a broad 
view of your preventative and reactive measures to 
prevent downtime wherever possible and to limit 
its impact when it can’t be prevented. To keep users 
working, you need to apply appropriate mitigations 
to your applications, the data they provide, the 
network that they depend on, and the physical 
hardware that they use. 

Once you’ve decided on which risks need the most 
immediate mitigation, you’re prepared to take the 
necessary steps to mitigate them, That will probably 
involve a combination of changing your operational 
practices, identifying specific risks that you can transfer, 
retain, or avoid, and working to prevent the rest. 
Because you can’t guarantee that you will be able to 
prevent every single risk you face, you should plan to 
incorporate reactive measures such as high availability 
and disaster recovery solutions to help ensure that you 
can keep operating when a preventative measure fails. 
The combination of these preventative and reactive 
measures will help you effectively ensure that your 
users can keep working even when you have failures at 
any layer of your entire application stack. 









































Whether your company is a start-up or a Global 100, 
system downtime always harms your reputation, 
profitability and productivity. With Neverfail, users 
stay continuously connected to their applications 
no matter when, where or why a failure occurs 
in the server environment. We deliver "cluster- 
class" disaster recovery, data protection and high 
availability software solutions at a significantly lower 
total cost and complexity. With automatic failover 
response measured in seconds rather than minutes, 
and no user or IT management intervention needed, 
anything less is a lesser solution. Designed for 
Windows-based applications, Neverfail's comprehensive 


suite of award-winning software solutions will help 
ensure that your business is always up and running 
and never misses a beat. 

To make your business a more productive — and profit¬ 
able — enterprise, visit neverfailgroup.com for your 
free white paper. The Future of Business 
Continuity, a white paper from the Patricia Seybold 
Group that discusses affordable solutions that eliminate 
disruptions of any kind. Or, better yet, email us today to 
join companies all over the world who have chosen 
Neverfail for the most effective disaster recovery, data 
protection and high availability solutions in the industry. 
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New & Improved 


SECURITY 

EXPLORER 


Simplify Storage Management, 
High Availability, and 
Disaster Recovery 


Centralize 
Management of 
File and Security 
Settings 

ScriptLogic announced Security 
Explorer 6.0, software that provides 
real-time management of access con¬ 
trols and security on Windows file 
servers and workstations across the 
enterprise. With this release, Security 
Explorer has incorporated the function¬ 
ality of ScriptLogic Service Explorer, 
which provides centralized manage¬ 
ment of security controls and settings. 

Now you can use Security Explorer to 

manage services and tasks on multiple servers and desktops. 
Other enhancements include an updated interface and Win¬ 
dows Vista support. You can download a free 30-day trial ver¬ 
sion of Security Explorer from ScriptLogic’s Web site. 

561-886-2400, 800-813-6415 


Symantec announced Veritas Storage Foundation 5.0 High 
Availability for Windows, software that combines Storage 
Foundation for Windows and Veritas Cluster Server to 
simplify storage management, high availability, and disaster 
recovery for mission-critical Windows applications. Stor¬ 
age Foundation for Windows includes advanced iSCSI SAN management 
capabilities, supports Storage Foundation Management Server, and adds 
application-performance enhancing capabilities. Veritas Cluster Server now 
includes Fire Drill, which lets you regularly test disaster recovery scenarios 
without endangering production applications. Also new to this release is 
Veritas Storage Foundation Basic for Windows, a free version of Storage 
Foundation for Windows that runs on physical and virtual servers and 
includes dynamic multipathing functionality. 



www.symantec.com, 408-517-8000 


opalis* 

Automate IT 
Operational Processes 


Easily Carry Out AD and 
Windows Management Tasks 

Visual Click Software announced numerous enhancements 
to its Windows and Active Directory (AD) security assessment 
and management tool, DSRAZOR for Windows. Included are 
more than 100 prebuilt applets that execute various Windows 
and AD management tasks, such as “accounts that are locked,” 
“accounts where last logon failed,” “view home directory sizes 
and contents,” and “report on AD object ownership.” Four of 
the new applets let you create a user using department-based 
templates with predefined, prepopulated fields, reset local 
administrator passwords, import Exchange Server contacts 
from comma-separated value (CSV) files, and delete Exchange 
mailboxes from CSV files. If you’re 
looking for functionality for which 
there is no applet, Visual Click will 
work with you to create one. 

www.visualclick.com 
512-330-0542, 877-902-5425 


Opalis Software announced updates to its run book automa¬ 
tion software, Opalis Integration Server 5.3. The software now 
features more than 90 out-of-the-box workflow process tem¬ 
plates that automate IT operation processes and provide visi¬ 
bility into incident, problem, configuration, change, and release 
processes. Twenty of the new policies target virtualization and 
security tasks. Opalis Integration Server also includes new 
integration packs that let you connect and interact with BMC 
Atrium, BMC Remedy, Microsoft System Center Operations 
Manager, Active Directory (AD), and VMware VirtualCenter 2. 
A new dashboard provides end-to-end visibility of IT process 
management, from administration to reporting. ^ 

www.opalis.com, 905-624-1260 
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Industry Bytes 


Roaming 
Digital IDs 



A rcot Systems (http://www 
.arcot.com), maker of risk- 
management, strong authentica¬ 
tion, and digital signing solutions, 
recently announced a collabora¬ 
tion with Adobe Systems that will 
enable enterprises to give their 
users and customers easier digital 
signing capabilities in Adobe Acro¬ 
bat and Adobe Reader. 

Nine-year-old Arcot Systems’ 
mission has always been to bring 
more secure authentication to the 
marketplace, Arcot’s VP of Market¬ 
ing Carol Stone told Windows IT 
Pro editors during a recent confer¬ 
ence call. During the company’s 
first six or seven years, a username 
and password was adequate for 
most enterprise authentication 
needs. Arcot built a nice business 
working with credit card companies 
to secure online payments, but now 
that the government and consum¬ 
ers are demanding tighter security 
for their personal information, 

Stone says, Arcot is well positioned 
to satisfy these demands with the 
technologies it has developed. 

Companies that use Adobe 
Acrobat and Adobe Reader to cre¬ 
ate and read PDF files can choose 
to purchase an Arcot SignFort 
server license and create Arcot 
Roaming Digital IDs for their users 
and customers. Roaming Digital 
IDs are stored on the server, and 
users can use them anytime from 
anywhere to digitally sign a docu¬ 
ment. The IDs provide two-factor 
authentication but don’t require 
users to carry a token. The Sign- 
Fort server also logs each digital 
signing of a document. 

—Renee Munshi 

www.windowsitpro.com 
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Manage and Inventory Your SharePoint Environment 


M ore and more organizations are using collaboration software such as Microsoft SharePoint 
technologies to share crucial business information, including financial documents, strategic 
plans, and business process documents, as well as to share discussions, calendars, and email mes¬ 
sages. SharePoint allows users to easily set up collaborative sites without IT assistance, but with that 
ease of use can come a management nightmare. I learned more about this problem in a discussion 
with Quest Software’s (http://www.quest.com) Doug Davis, who is the director of product manage¬ 
ment for SharePoint solutions. “There’s a great demand for collaboration in organizations, and Micro¬ 
soft has made it easy to for people to learn about SharePoint technologies and to get their hands on 
Windows SharePoint Services. This has caused a proliferation of SharePoint sites unknown to IT. 
How can businesses protect their critical business information in such an unmanaged environment?” 

Quest recently surveyed customers who had downloaded its Discovery Wizard for SharePoint 
freeware tool and found that more than half of them cite management of SharePoint sites as one 
of their top challenges. Seventy-three percent said they’d like an automated way to discover Share- 
Point sites and details of those sites. To address those needs, Quest recently released its Quest Site 
Administrator for SharePoint. 

Site Administrator consists of three components that let IT administrators discover SharePoint 
servers and sites across the enterprise; analyze the usage, traffic, and health of these sites; and 
globally manage the sites to reduce the risks of downtime and the threats associated with housing 
crucial business information on unmanaged platforms. 

—Gayle Rodcay 




Adobe Systems Expands File Rights Management 

ollaboration is key in business today, but sharing files isn’t all that dif- 
ficult—the challenge lies in controlling what recipients can do to those 
files after they’re received. Ensuring file access and managing that access 
becomes increasingly important as businesses strive to meet two some¬ 
times conflicting needs—the need for collaboration and the need to secure 
sensitive files, including intellectual property. Steve Gottwals and Patrice 
Lagrange, Adobe Systems (http://www.adobe.com) product managers, 
discussed how two of Adobe’s products can help companies engage with 
people to secure content no matter where it goes. Both products help users 
control access to and the usage of documents they share with others. 

Adobe LiveCycle Policy Server 7.2 expands Adobe rights management beyond 
Adobe Acrobat .pdf files alone to allow users to secure files earlier in the document life cycle—for 
example, by protecting access and use of Microsoft Office Word and Excel files, as well as Dassault 
Systemes’ Computer Aided Three dimensional Interactive Application (CATIA) files. Policy Server 
is an enterprise rights management solution that protects a document or file and controls who can 
access it and how it can be used from its inception through its entire life cycle to archiving and 
destruction. Pricing for Policy Server starts at $100 per user. 

Adobe Document Center brings to individuals and workgroups the capabilities that Policy Server 
offers (via a hosted service that lets individuals control access to Excel, PDF, and Word files, and 
determine and track document usage) inside and outside of the firewall. In early 2007, Adobe will 
also add the capability to convert documents to PDF format and apply security settings directly at 
the Adobe Document Center Web site. Adobe Document Center is a subscription-based service and 
will offer an introductory price of $19.99 per user per month for six months, or $199 for a year. ^ 

—Caroline Marwitz 
InstantDoc ID 94930 
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you can provide users with easy, centralized access to past emails via a web-based search interface and the ability to quickly 
restore emails through a OneClick Restore process. GFI MailArchiver aids your company in fulfilling regulatory email storage 
requirements (such as the Sarbanes-Oxley Act). GFI MailArchiver leverages the journaling feature of Exchange Server 2000/2003, 
providing unparalleled scalability and reliability at a competitive cost. Use GFI MailArchiver to: 


• Archive all incoming and outgoing company email to multiple SQL databases or NTFS drives 

• Significantly reduce storage requirements for email by up to 80% 

• End PST hell by storing email in SQL format or an NTFS drive 

• Provide end-users with a single, web-based location in which to search all their past email 

• Advanced email search and 'Saved Search' capabilities 

• Allow users to restore archived emails through a OneClick Restore 

• Help comply with Sarbanes-Oxley, SEC and other regulations. 
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^ by Michael Otey 


Meeting the ever-increasing needs of network storage 


L ike death and taxes, one thing that's 
a certainty, at least for all IT orga¬ 
nizations, is the need for storage. 
No matter how much storage you have, you 
always seem to fill it up. This axiom is as true 
for small and midsized businesses as it is for 
large enterprises. Ever-expanding regulatory 
requirements; online backup; and email, 
database, document, and application growth 
are some of the primary driving factors fueling 
the need for storage. This demand for storage 
has exceeded the capacities offered by DAS. 
Plus, because DAS is internally mounted, 
it's difficult to expand and upgrade. NAS 
and SANs address the limitations of DAS by 
providing the ability to attach the storage 
directly to the network where it can be readily 
accessed by any network device. Of these two 
network storage technologies, NAS devices 
are targeted more toward small-to-midsized 
businesses (SMBs). NAS units are designed 
for ease of installation and are optimized for 
file-serving performance. SAN devices are 
designed with enterprise storage needs in 
mind; they offer greater scalability as well as 
advanced data protection capabilities such 
as the ability to take volume snapshots and 


replicate data. Like you might expect, SAN 
devices are significantly more expensive and 
more complex than NAS devices. In addition 
to pure NAS and SAN storage devices, a newer 
variant entails using a NAS gateway on a SAN. 
The network clients are able to use the simple 
NAS connections, and the NAS appliance 
uses the physical storage from a back-end 
SAN storage array. 

Windows Storage Server 
2003 R2 

Recognizing the need for easy-to-access net¬ 
work storage, Microsoft created a specialized 
version of the Windows Server OS called Win¬ 
dows Storage Server 2003 R2, which powers 
NAS devices. Being a member of the Windows 
Server family, Windows Storage Server sup¬ 
ports integration with Active Directory (AD) 
and a management experience that is readily 
understood by Windows administrators. How¬ 
ever, you can't buy Windows Storage Server 
off the shelf. Instead it only comes bundled 
with OEM products from companies such 
as HP and DELL. Unlike the more general 
purpose Windows Server 2003 OS, Windows 
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Storage Server is optimized for file serving and 
is capable of running headless, (i.e., without 
a monitor, keyboard, and mouse). You can 
manage Windows Storage Server devices by 
using a streamlined Microsoft Management 
Console (MMC) snap-in, and you can con¬ 
nect remotely via RDP. Unlike the Windows 
Server OS, Windows Storage Server is aimed 
primarily toward file and print serving, and it 
doesn't support running most line of business 
(LOB) applications or server products such 
as Microsoft SQL Server or Exchange Server. 
Windows Storage Server doesn't require CAL 
licenses and provides file serving for a variety 
of OSs by supporting a variety of file access 
protocols including 

• Common Internet File System (CIFS)/ 

Server Message Block (SMB) for Windows 
clients 

• NFS for Linux and UNIX clients 

• HTTP for Web-based file sharing 

• WWW Distributed Authoring and Version¬ 
ing (WebDAV) for desktop Web-based file 
management 

Windows Storage Server comes prein¬ 
stalled on OEM devices and is designed for fast 
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Windows Storage Server devices don't 

typically need the frequent patches that apply to the 
general purpose versions of Windows 2003. 


deployment. Most devices can be installed and 
available in less than 15 minutes. Because Win¬ 
dows Storage Server devices have very specific 
roles, they don't typically need the frequent 
patches and security updates that apply to the 
general purpose versions of Windows 2003, 
which typically support a much broader array 
of functionality. 

One of the most important features that 
Windows Storage Server brings to the NAS 
market is Single Instance Store (SIS). SIS can 
save disk space by identifying identical files 
via a content-hashing mechanism. SIS stores 
only one physical instance of a file. Duplicate 
instances are replaced with links to the original 
file. If the duplicate file is modified, then the 
link is replaced with a copy of the updated 
file. Windows Storage Server also provides 
enhanced data protection using Microsoft Vol¬ 
ume Shadow Copy Service (VSS). VSS enables 
administrators to create as many as 512 point- 
in-time snapshots per volume, which you can 
use for rapid end-user data restore. In addition, 
file-serving performance is optimized over the 
general purpose version of Windows 2003. 
OEMs perform several optimizations before 
shipping the product, including disabling 8.3 
file naming, limiting the paged-pool size to 
allow a larger system cache, and configuring 


Learning Path 


WINDOWS IT PRO RESOURCES: 

To learn the evolution of Windows Storage 
Server: 

“Microsoft Launches Windows Storage Server 
2003,” InstantDoc I D 40274 

“What You Need to Know About Windows Storage 
Server 2003,” InstantDoc I D 40725 

“Storage Server R2 Boasts Search and File-Access 
Improvements,” InstantDoc I D 50008 

To learn about Windows Unified Data Stor¬ 
age Server: 

“Windows Unified Data Storage Server 2003 
InstantDoc ID 94794 

MICROSOFT RESOURCES: 

“Windows Storage Server 2003 R2” 
http://www.microsoft.com/windowsserversystem/ 
wss2003/default.mspx 

“Windows Unified Data Storage Server 2003” 
http://www.microsoft.com/windowsserversystem/ 
storage/wudss.mspx 

rd 


disk alignment for more efficient access. Win¬ 
dows Storage Server also supports the indexing 
service, which improves search functionality 
for Windows 2000 and Windows XP clients. 
Load balancing and file replication are pro¬ 
vided through DFS, and Remote Differential 
Compression (RDC) technology increases data 
transmission efficiencies across WAN links. 

In addition to a more user-friendly MMC 
management interface, Windows Storage 
Server 2003 R2 also includes two storage- 
management tools: Storage Manager for SANs 
and File Server Resource Manager (FSRM). 
Like its name implies the Storage Manager for 
SANs lets you provision storage subsystems 
on SANs by using the Microsoft Virtual Disk 
Service (VDS) technology. FSRM allows you to 
manage user storage by establishing user quo¬ 
tas and setting up file screening, whereby you 
can prevent certain types of files from being 
stored. 

Although Windows Storage Server doesn't 
support running most LOB applications, it does 
support running Windows SharePoint Services 
to facilitate document management and col¬ 
laboration. Like Windows SharePoint Services 
2003, Windows Storage Server SharePoint 
Services provides various team collaboration 
features, including support for calendars, Web 
links, discussions, shared document libraries, 
and Web parts. 

Windows Unified Data 
Storage Server 2003 

The next evolutionary step beyond Windows 
Storage Server is Windows Unified Storage 
Server 2003 (WUDSS). Like Windows Storage 
Server, WUDSS is geared toward the NAS mar¬ 
ket and is available only preinstalled on various 
OEM offerings. WUDSS targets the midsized 
business or small enterprise. WUDSS is avail¬ 
able in the following editions: 

• WUDSS 2003, Standard Edition 

• WUDSS 2003, Standard x64 Edition 

• WUDSS 2003, Enterprise Edition 

• WUDSS 2003, Enterprise x64 Edition 

WUDSS offers the same basic feature set 


as Windows Storage Server, with several 
larger-business-oriented additions, the most 
important of which is probably the addition 
of Microsoft iSCSI Software Target technol¬ 
ogy. iSCSI Software Target enables WUDSS 
to provide back-end block-level storage for 
server applications such as Exchange Server, 
SQL Server, and other server or database 
programs. 

WUDSS has a new Initial Configuration 
Tasks interface that walks the user through 
a set of user-friendly setup questions that 
are designed to make setting up WUDSS 
appliances easier and reduce the prerequisite 
knowledge required to complete the setup. 
WUDSS also has a new MMC Share and 
Storage Management snap-in. The integrated 
management snap-in lets administrators man¬ 
age both CIFS/SMB and NFS shares. Like 
Windows Storage Server, WUDSS supports 
remote administration through RDP; how¬ 
ever to enable management by non-Microsoft 
clients, WUDSS also supports remote admin¬ 
istration via the lava-based RDP client. For 
more WUDSS product information, see "HP 
StorageWorks 400 All-in-One Storage System," 
February 2007, InstantDoc I D 94535. 

Moving Forward 

Windows Storage Server and WUDSS are built 
on the Windows 2003 OS and answer today's 
need for NAS. Windows Storage Server and 
WUDSS devices are quick and easy to deploy 
and provide the administrator with a familiar 
Windows management experience. The next 
generation of Windows Storage Server and 
WUDSS devices will be based on the Windows 
Longhorn Server code base, which will help 
streamline and secure the next generation of 
Windows Storage Server products. ^ 

InstantDoc ID 95218 
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Windows IT Pro and president of TECA, a software-devel¬ 
opment and consulting company in Portland, Oregon. He 
is the author of SQL Server2005New Features (Osborne/ 
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IMPLEMENTING THESE PRACTICAL SOLUTIONS 



r irtualization software is the rage of the 
tech market. Vendors such as Micro¬ 
soft and VMware offer both server 
and workstation virtualization products, and 
hardware support for virtualization is appear¬ 
ing in AMD and Intel processors. By taking 
advantage of virtualization technologies, you 
can finally get the most out of the overabun¬ 
dance of computing power that today's multi¬ 
processor and multicore servers boast: On 
one hardware server, you can run multiple 
instances of OSs, each of which appears to 
network users as a real, dedicated server. 

If you decide to use virtualization in your 
environment, you need to be aware of some 
concerns about the technology. In particular, 
virtualization comes with some real security 
concerns. Before taking the plunge, you need 
an overview of Virtual Server and its common 
security pitfalls, and you also need practical 
solutions that are applicable to just about any 
enterprise. Let's get started. 


Virtual Server is incredibly easy to install, but 
there are some preparatory steps that you 
should take to ensure security. The host OS is 
the weakest link in Virtual Server: If the host OS 
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is compromised, 
potentially every 
virtual machine 
(VM) that runs on 
it can be compro 
mised. Therefore, you 
must house the physical 
server in a secure loca 
tion. 

When Virtual Server 
runs, it allocates physical 
memory from the host OS 
to each guest OS. The virtual 
disks that the VMs use are 
typically stored on DAS or Fibre 
Channel storage. If a malicious user 
has physical access to a machine, he or-she 
can attach a physical debugger or run a soft¬ 
ware debugger and monitor the guest OSs as 
they run, capturing secrets such as passwords. 
The malicious user might also be able to get 
access to the virtual disks and read them as 
though they were raw files, potentially gleaning 
sensitive information by using freely available 
forensics tools or even a simple hex editor. 

You must secure the host OS as carefully as 
possible. First, take the standard precautions: 
Remove unnecessary local accounts, and 
ensure that remaining accounts have strong 
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passwords. Next, reduce 
the attack surface by 
removing any extrane¬ 
ous services and appli¬ 
cations. Don't co-locate 
Virtual Server with other 
server products, such as 
Microsoft Exchange Server or 
SQL Server. Although you need to 
run Microsoft IIS on the host OS 
to administer Virtual Server, you 
shouldn't host additional Web 
sites. If ^malicious user succeeds 
in remotely exploiting a vulner¬ 
ability, he or she will be able to control 
the entire host OS and gain access to your 
VMs. Reducing the attack surface minimizes 
the likelihood that a hacker can find a remote 
vulnerability to exploit. An added advantage of 
reducing the attack surface is that you'll likely 
have fewer updates to apply over time. This 
benefit is important because applying updates 
can affect the availability of guest OSs. 

If your host OS is a member server in a 
domain, you should ensure that users who 
don't have a legitimate reason are prevented 
from logging on to the host OS over the net¬ 
work—either to network shares or through Ter¬ 
minal Services. The implication is that the host 
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OS isn't used for general file and printer shar¬ 
ing. You can use the Microsoft Management 
Console (MMC) Local Security Policy snap-in 
or a Group Policy Object (GPO) to configure 
the host OS's security policy. Launch the snap- 
in, expand Local Policies, and click User Rights 
Assignment in the left pane. In the right pane, 
double-click Deny access to this computer from 
the network and ensure that users who have 
no legitimate access to the host OS (or groups 
of which they're members) are included in the 
list of those denied. Repeat this procedure for 
Deny logon through Terminal Services. Note 
that denying access over the network and 
through Terminal Services to the host OS won't 
prevent users from gaining access to services 
offered by the VMs on the server. If you want 
to restrict access to those systems, you must 
similarly configure them. To further secure the 
host, consider using Windows 2003 SPl's Win¬ 
dows Firewall and IPsec. However, remember 
that merely configuring the host OS's firewall 
or IPsec won't necessarily prevent users from 
accessing services in guest OSs. 

You should also review your update-man¬ 
agement strategy for host OSs running Virtual 
Server. For example, you shouldn't configure 
your host OS to use Microsoft Update (or an 
internal update mechanism such as SMS or 
WSUS) and reboot automatically after the 
application of an update. If your server were 
to reboot in such a case, all data in your VMs 
would be lost unless you first took steps to 
gracefully shut down guest OSs or at least save 
their state to disk. The practical implication is 
that you'll need to come up with a means for 
updating your host OS without affecting the 
availability of your guest OSs. 

Initial Configuration 

To install Virtual Server 2005 R2 Enterprise 
Edition, you must first download it. (See the 
Learning Path on page_31_for download infor¬ 
mation; registration is required.) You should 
also download the accompanying documen¬ 
tation, which contains useful and important 
information. Remember to install IIS prior to 
installing Virtual Server. 

Double-click the downloaded file (i.e., 
setup.exe) to launch the Virtual Server Setup 
Wizard, and walk through the straightforward 
installation process. The wizard will prompt 
you to select the port on which the admin¬ 


istration Web site will listen, and to config¬ 
ure the Web site for Constrained Delegation. 
Normally, the administration Web site will 
run under the context of the user connecting 
to it. In this configuration, all resource files 
(e.g., configuration files, virtual disks) must 
be on DAS. If you plan to access the resource 
files over a network—for example, if they're 
stored on a NAS device—you must configure 
Constrained Delegation, and the Web site will 
run as LocalSystem. For security reasons, and 
to improve performance, I always recommend 
storing the resource files locally. Also, don't 
enable constrained delegation. Change the 
Web site port only if you have a reason to do 
so. 

Now, you need to secure the installation. 
Launch the Virtual Server administration Web 
site by clicking Start, All Programs, Microsoft 
Virtual Server, Virtual Server Administration 
Website. If the system prompts you for creden¬ 
tials, enter those of a user who is a member of 
the local Administrators group on the host OS; 
otherwise, you'll be denied access. (To prevent 
the system from prompting you for credentials 
each time you access the administration Web 
site, you can add the URL to the local intranet 
site in Microsoft Internet Explorer—IE.) 

At the bottom of the Web page, you'll notice 


a warning that Secure Sockets Layer (SSL) isn't 
enabled for the site. Your first order of business 
is to obtain an SSL certificate to secure traffic to 
and from the administration Web site. If you're 
running Microsoft Certificate Services, you can 
use that to obtain an SSL Certificate; otherwise, 
you can obtain one from a third-party source, 
such as Verisign (although that route can be 
expensive). Open the MMC IIS snap-in, and 
expand the Web Sites node under the Web 
server's name. You'll find a Web site named 
Virtual Server; this is the site for which you 
need to request an SSL certificate. Don't forget 
to select a free TCP port for the SSL connection 
and configure the Web site to use it. I recom¬ 
mend that you also configure the Virtual Server 
Web site to require SSL connections. After 
you've configured SSL, you'll need to remem¬ 
ber to use the new URL to connect to the Web 
site, specifying "HTTPS” instead of "HTTP” 
and entering the SSL port number that the site 
uses. You might want to create a URL shortcut 
and save it to your desktop. 

The next step is to configure who has access 
to the administration Web site. By default, any 
member of the local Administrators group has 
rights to administer Virtual Server. I recom¬ 
mend that you manually add users and groups 
of users who need administrative access, rather 
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than simply adding them to the local Admin¬ 
istrators group. To grant users permissions, 
launch the administration Web site, select 
Server Properties in the Web site's left pane, 
then click Virtual Server Security. You can use 
the Add entry button to add users and groups, 
as Figure 1, page 25, shows. 

If you're adding a domain user or domain 
group to the list, you should specify the entry 
in the form DOMAINNAME\username or 
DOMAINNAME\groupname. Each user or 
group can have several permissions. The Vir¬ 
tual Server Administrator's Guide, which you 
can find in the Microsoft Virtual Server pro¬ 
gram group, details each permission. As its 
name implies, Full grants a user or group all 
permissions. In general, you should grant 
users only the permissions they need to per¬ 
form their assigned tasks. Note that you can't 
remove the local Administrators group, which 
is always granted access even if you attempt to 
remove permissions. The practical implication 
is that any domain administrator has access to 
the Virtual Server administration Web site. If 
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Virtualization technology is the cornerstone of IT 
director Seth Copeland’s disaster recovery strategy 


BY B.K. WINSTEAD 

F or Seth Cope¬ 
land, taking 
the job of IT 
director for Tanner 
& Haley Resorts in 
Kansas City, Missouri, 
meant jumping in to 
the development of a 
disaster recovery plan to support the compa¬ 
ny's 160 users. “When I first took over this posi¬ 
tion in October 2005, there was really no plan; 
we simply used tape backup," Seth said. Add¬ 
ing to the complexity of implementing such 
a plan, Tanner & Haley filed for Chapter 11 
bankruptcy in fuly 2006 (and is in the process 


of being acquired by Ultimate Resort)—just 
as the newly developed disaster recovery plan 
was going into effect. Taking advantage of cost 
and space savings, Seth decided to implement 
a virtualized disaster recovery solution. I spoke 
with Seth about how he used virtualization to 
provide a budget-friendly, two-tiered approach 
to high-availability and recovery. 

Q: What triggered the development 
of a disaster recovery plan for the 
company at this time? 

A: For me, the motivator event was when a 
tornado touched down not too far from the 


office. Most disasters in Kansas City are the 
local ones, tornados, that type of thing. I think 
there may be a fault line somewhere, but I 
don't know. The Missouri River might flood, 
but we’re pretty far from the river. If somebody 
nukes Kansas City, then we're probably out, 
but I don't worry too much about that. 

Q: Explain your current disaster 
recovery solution. Does the plan 
define procedures according to a 
disaster’s severity? 

A: Our plan uses VMware products and NSI 
Software's Double-Take for Virtual Systems 
software. I have a server here in my data center 
that runs VMware GSX Server, and I replicate 
all my individual servers onto it locally. The 
GSX Server machine serves as my local, high- 
availability server, in case I lose a single box. If 
my mail server dies or my database server goes 
down, the local high-availability server takes 
over. Additionally, all those virtual servers on 
the local high-availability box then replicate 
over to our Overland Park, Kansas, site via the 
Double-Take software, to four boxes there, on 
which we put about four or five servers each 
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Virtual Server Security 



you don't want domain administrators to have 
this level of access, you'll need to remove that 
group from the local Administrators group on 
the host OS. 

You should also secure the Virtual Machine 
Remote Control (VMRC) server. To configure 
the VMRC server, select Server Properties 
in the Web site's left pane, then click Virtual 
Machine Remote Control (VMRC) Server. 
The first option to configure is the Authenti¬ 
cation method, as you see in Figure 2, page 
27. Authentication is typically transparent to 
the user and is between the VMRC client and 
the VMRC server. Once authenticated, the 
user is connected to the VM's console, and 
isn't automatically logged on to the VM itself. 
The choices for authentication are Automatic, 
NTLM, or Kerberos. NTLM is a secure means 
of authenticating to a server but provides no 
means for you to verify whether the server 
is an impersonator. Use of Kerberos permits 
mutual authentication. You should select the 
Disconnect idle connections check box—this is 
the Virtual Server equivalent of a screen saver. 
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using VMware GSX Server. The virtualized 
server here at my main data center takes care 
of a single server failure. The Overland Park site 
takes care of site failure. 

My two main concerns were how fast could 
I get the system back up and whether the vir¬ 
tual site could handle everybody coming into 
it. Could it handle the load? And it did. For our 
recovery time objective (RTO), we generally 
shoot for about two hours, losing no more than 
the last 10 minutes of data. That's what I set up, 
looking at the business needs. 

Losing one disk, losing the mail system, 
the reservation system—that's a small disaster. 
The plan takes care of that by just failing the 
systems over to the local server. 

The plan also takes into account an event 
that wipes out this building, where employees 
can't even come here and people have to work 
from home. In that event, we'll need to get 
the call center back as quickly as possible, so 
we'll have employees take home their office 
phones, reroute our phone lines to corporate 
headquarters in Connecticut, and connect to 
the Mitel Networks VoIP phone system to run 
the call center out of their homes. 


Q: Why did you make virtualization 
the basis for your solution? 

A: The main justification was the cost savings. 
After we filed Chapter 11, every dollar counted. 
Virtualization software has come far enough 
and the hardware is powerful enough that I 
have no worries about running our recovery 
servers in virtual machines. I mean, if I had 
to build my data center from scratch, I’d defi- 
nately do so by virtualizing more. So that's why 
we opted to go with virtualization, really—to 
save on hardware costs and save on rack space 
in our disaster recovery site. 

Q: In addition to restoring call-cen¬ 
ter services, what are some other 
components of your business conti¬ 
nuity plan? 

A: I've given the individual managers tele¬ 
phone plans—that is, how I'm going to com¬ 
municate with them in the event our systems 
go down, because it's going to be a little while 
before our BlackBerries and email come back 
online. 
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I also ask the managers to prioritize a few 
items: Who are their most important people— 
whose service should be restored, and in what 
order—and what are their most important 
systems? If on the first day of the disaster, I can 
get 10 of your people back on, who are your 
most important 10? 

Q: How’s the solution running so 
far? Have you had the opportunity 
to use it in an actual disaster yet? 

A: We haven't had any issues with the solution. 
We test it every few months. In testing, my two 
main concerns have been how fast can I get 
the system back up and can the virtual site in 
Overland Park handle the load of all our users 
switching over to it. And it performed well on 
both counts. We haven't had to use it in real life 
yet. I hope we never have to. 
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5 ■ PerfectDisk's Space Restoration 
Technology,™ with its Consolidate Free Space 
Defrag, lets you create the largest piece of contiguous free 
space available prior to creating large files or performing 
partition resizing operations. 


■ And best of all, PerfectDisk 8 
defragments, optimizes and consolidates even 
the largest drives in a single pass. Done. And with our 
Competitive Trade-up Program, the time is great to migrate to 
8. So why wait? Download a FREE trial at 
www.perfectdisk8.com. 


8 ■ Recognized as the world's most powerful defrag¬ 
menter, PerfectDisk has always been the secret to 
faster, more reliable computers. Now, with a 
powerful new suite of enterprise tools, 

PerfectDisk 8.0 takes disk defragmen¬ 
tation to the farthest reaches of the 
enterprise, while placing total 
control right at your fingertips. 


7 ■ Are you sitting down? 

Good, because the PerfectDisk 
Command Center™ lets you deploy, 
configure and manage the defrag¬ 
mentation of every system on the 
enterprise ... all from the comfort of your 
own desktop. 


6 ■ PerfectDisk's new 
patent-pending Resource 
Saver™ technology finds all 
the fragments of a file without 
first opening the file, efficiently 
defragmenting even the largest 
of drives with minimal system 
impact. 


4 ■ No hidden surcharges. Unlike other defragmenters, 
PerfectDisk doesn't charge you extra for super-sized 
drives, or administrative console features. 
Microsoft-certified PerfectDisk simply 
makes it easy to defrag every 
drive on the enterprise. Period. 


3 ■ To ensure your 

drives are always in shape, 
new AutoPilot Scheduling™ 
lets you set your computers to 
defrag automatically. What's 
more, unlike the competition, new 
intelligent Screen Saver Mode auto¬ 
matically defragments idle computers if 
a user-defined number of days has 
passed since the last defrag. 


2 ■ PerfectDisk's new I/O 
and CPU throttling features 
automatically detect when 
a system is "busy" and 
reduces its disk I/O or CPU 
usage accordingly, making the 
defragmentation of even the 
busiest drives practical. 


1-800-546-9728 

www.perfectdisk8.com 
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It's enabled by default, and the timeout period 
is set to 15 minutes. 

You should also enable SSL 3.0/TLS 1.0 
encryption. By default, the communication 
between a VMRC client and a VMRC server is 
unencrypted; installing a certificate will secure 
that communication. Virtual Server can help 
you build a request for a certificate. Select the 
Request radio button, and fill out pertinent 
information in the form before clicking OK. 
When you click OK, a certificate request is gen¬ 
erated for you, as Figure 3, page 29, shows. You 
can cut and paste the request and submit it to a 
CA. You can load the issued certificate back into 
the VMRC server by clicking Virtual Machine 
Remote Control (VMRC) Server in the admin¬ 
istration Web site and selecting Upload. Doing 
so enables the Browse button, which lets you 
browse to the certificate file. Clicking OK again 
loads the certificate into the VMRC server. 

Securing Resource Files 

Virtual Server uses several resource files. Com¬ 
mon files are virtual machine configuration 
(.vmc) files, virtual hard disk (.vhd) files, and 
virtual machine saved state (.vsv) files. In 
particular, .vhd and .vsv files contain sensitive 
information and require protection. An attacker 
who accesses these files might be able to glean 
documents, passwords, cryptographic keys, 
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and other secrets. At a minimum, you should 
ensure that access to these files is restricted to 
users who have administrative rights on the 
virtual server—and to Virtual Server itself—by 
using discretionary ACLs (DACLs); when you 
configure who has administrative access to 
Virtual Server, the DACLs are set automatically, 
but you can change them manually. You can 
opt to run VMs under named user accounts 
by selecting the VMs from the administration 
Web site's Master Status page or selecting 
Virtual Machines, Configure in the adminis¬ 
tration Web site's left pane, selecting General 
Properties in the Machine Status pane, then 
selecting the Run virtual machine under the fol¬ 
lowing user account check box and entering the 
username and password credentials of a valid 
user, as Figure 4 shows. You'll need to ensure 
that the named user is granted access to the 
resource files by editing the DACL. 

Using a named user account to run a VM 
also lets you use Encrypting File System (EFS) 
to protect any .vhd files that the VM uses. Sim¬ 
ply log on to the system with the credentials of 
the user account that a VM runs under, navi¬ 
gate to the .vhd files and use Windows Explorer 
or cipher.exe to encrypt each. You might need 
to permit the user interactive or Terminal Ser¬ 
vices access to Virtual Server to log on, but you 
can always deny such access after the .vhd files 
have been secured. (Note that you shouldn't 
EFS-protect .vmc or .vsv files in the parent 
folder. If you do, Virtual Server won't be able 
to start the VM.) 

Virtual Server lets you map physical disks 
in the host OS to virtual disks in the guest OSs. 
I don't recommend such mapping because 
it can be difficult to ensure that no sensi¬ 
tive information is inadvertently exchanged 
between host and guest OSs. Corruption of 
files can occur easily, and it's a natural method 
for malware to spread from host to guest OS 
and vice versa. 


Securing VMs 

When Virtual Server runs a VM, you need 
to treat that system just as you would treat a 
physical system. You need to consider whether 
to configure and use Windows Firewall on each 
VM, independent of the host OS Windows 
Firewall configuration, the update strategy for 
each, and whether you need to use tools such 
as the Security Configuration Wizard (SCW) to 
lock down each VM. An infected or otherwise 
compromised VM can be as great a risk to your 
enterprise as an infected physical machine. 

The Price Is Right 

Microsoft is making virtualization even more 
attractive to the enterprise by restructuring 
its licensing terms for some of its products. 
Both Virtual Server and Virtual PC 2007 are 
now available as free downloads to qualified 
customers. Customers who purchase Windows 
2003 Release 2 (R2) Enterprise Edition can now 
run as many as four virtual instances of the 
OS on one physical server without purchasing 
extra copies, and Windows 2003 Datacenter 
Edition users can run unlimited numbers of 
virtual instances. 

Virtual Server is a powerful tool. However, 
its use comes with risks. Malicious users can 
potentially gather secrets in all forms from 
virtual hard disks, and can feasibly eavesdrop 
on communications between VMRC clients 
and the VMs themselves. This article's recom¬ 
mendations will help you secure your Virtual 
Server installations and protect the important 
data contained in your VMs. ^ 
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PROBLEM: 

You need an easy way to 
set up a replicated, fault- 
tolerant data-publication 
system. 


SOLUTION: 

Use the new DFS 
Replication (DFSR) 
feature in Windows Server 
2003 R2. 


WHAT YOU NEED: 

Windows Server 2003 R2 


A ny administrator who manages a distributed 
network knows what a pain it is to distrib¬ 
ute data around the network to where it's 
needed and keep it all in sync. Historically, data distri¬ 
bution hasn't been a strong point of Windows: Most 
administrators use the old Robocopy utility to do 
their replication and synchronization work because 
the built-in File Replication Service (FRS) just isn't 
up to the task. 

Robocopy works great, but it's just a simple com¬ 
mand-line utility with limited features. Now, you have 
a better alternative. One of the coolest new features 
of Windows Server 2003 Release 2 (R2) is DFS Rep¬ 
lication (DFSR). DFSR is a complete reworking of 
FRS, with none of the limitations of its predecessor. 
Using DFSR with R2's improved DFS (now called DFS 
Namespaces), it's really easy to set up a replicated, 
fault-tolerant data-publication system. 


The Basics of DFS and DFSR 


DIFFICULTY: 

•••oo 



DFS is a utility that abstracts Universal Naming 
Convention (UNC) names into a folder hierarchy 
using names you choose. For example, you can take 
a collection of shares such as \\flaserverl\reports, 
\\tx-server4\reports, and \\caserver2\reports and 
create a namespace out of it. A namespace is a virtual 
tree of folders that begins with WServerOrDomain- 
Name\RootName. In our example, the namespace 
would have a top-level folder named Reports and 
three subfolders: Florida, Texas, and California. 
Thanks to DFS, an employee looking for Texas reports 
could simply connect to \ Wora<™\reports and click 
the Texas folder, instead of trying to remember which 
server the share resides on. 

You can also use DFS to make data easily acces¬ 
sible by grouping it under a common UNC name, 


BY SEAN DEUBY 

regardless of which server the data is stored on. DFS 
does this grouping when you map a DFS folder to 
multiple network shares (aka link targets) scattered 
in different locations. Because DFS is Active Direc¬ 
tory (AD) site aware, a Windows XP or Windows 2000 
client accessing a DFS folder will attempt to find the 
closest link target—a process Microsoft calls the data 
distribution scenario. (To learn about how DFS and 
AD integrate with each other, see the sidebar "How 
DFS and AD Work Together", page 34.) For the data 
distribution scenario to work properly, users must 
see the same files regardless of which link target they 
connect to, so all the network shares to which a folder 
is mapped must contain identical data. 

DFSR is a multimaster replication engine used 
to distribute copies of data across multiple servers. 
It can run with or without DFS Namespaces, but its 
most popular use is to ensure that every member of a 
set of servers—a replica set—contains identical data 
and that replication is fast and bandwidth-efficient. 
It has many features, including bandwidth manage¬ 
ment, replication scheduling, and an innovative 
compression algorithm, that together dramatically 
decrease the amount of network bandwidth needed 
to keep data synchronized across your network. 
Microsoft reports that using DFSR results in up to a 
300 percent improvement in the speed of large-file 
replication and 40 percent less administrative time 
spent managing the replication set. 


A DFSR Scenario 

Let's take a hypothetical software distribution sys¬ 
tem that uses DFS and FRS and rebuild it using 
DFS Namespaces and DFSR. HardwareTX is a small 
company with offices in Houston, Fort Worth, and 
Sweetwater, Texas. One of the services it provides to 
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I n a perfect environment, all of the 

computers on a network have all of the 
most recent patches applied, have their 
firewalls configured and their anti-virus 
software up to date. In the real world however, 
even the best-managed networks have some 
computers that have fallen through the cracks. 
They may be portable computers that are used 
by sales staff that are away from the office for 
weeks or they may be desktop computers that 
sit unused for months and have missed out on 
many recent patches and anti-virus updates. 
Network Access Protection, a new feature in 
Windows Longhorn Server, provides a way of 
ensuring that only clients that have dotted their 
Is and crossed their T’s are able to connect to 
the organization’s network. This article will look 
at how Network Access Protection policies are 
configured and will 
provide a summary 
of how they are used 
to keep clients that 
connect to the network 
in an appropriate state 
of health. 

Network Access 
Protection 
Requirements 

Network Access 
Protection (NAP) 
requires Windows Server 
Longhorn. To get the 
most out of Network 
Access Protection, the 
forest should be at the 
Windows Longhorn 


Server functional level, though the aspects of 
NAP covered in this article will also work at the 
Windows Server 2003 functional level. Network 
Access Protection is enabled on a Windows 
Longhorn server by adding the Network Access 
Services role. It is possible to install this role on a 
domain controller, though on larger networks it 
should be installed on a separate member server. 
Installing the Network Access Services role also 
requires you to install the Web Server role and 
the Windows Activation Service feature. Once 
this role is installed you are able to access all of 
the Network Access Protection functionality 
through the Network Policy Server console, 
available in the administrative tools menu and 
shown below in the exhibit. 

Network Access Protection will work with 
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Overview of 
Network Access 
Protection 


Network Access Protection 
(NAP) is designed to help 
administrators maintain the 
health of the computer 
network through three 
important features: 

-Network Policy Validation 
The health state of computers 
that request access is 
validated against the network 
access policies. 


























clients that have Windows Vista or Windows 
XP Professional with Service Pack 2 installed. 
By default, not all of the system health Validator 
conditions that can be applied to Windows Vista 
can be applied to clients running Windows 
XP SP2.There are presently no System 
Health Validators for Windows Server 2003 or 
Longhorn computers. There are several steps 
involved in configuring the Network Access 
Protection. This article focuses on configuring 
the Network Access Protection policies. Once 
NAP policies are configured, they are used in 
conjunction with Network Policy Server policies 
to mediate LAN access. The reason for this is 
clearer when you understand that a Network 
Policy Server is a ITADIUS server that mediates 
access to the network for all clients on the LAN, 
not just remote clients. Network policies will be 
covered later in the article. 


passed. System Health Validator templates 
aid administrators to quickly select the 
desired SHVs on the network. 

• Remediation Server Groups. The set of 
servers that clients on the remediation 
network are able to access.These servers 
generally host software and anti-virus 
updates and are used to automatically 
update “unhealthy” clients so they become 
compliant. 

These components are visible under the 
Network Access Protection node in the 
Network Policy Server console. 

Configuring System Health 
Validators 


The Network Access 
Protection Settings 

Once the Network Access Services role has 
been installed on a server that is a member of 
the domain you can open the Network Policy 
Server console from the Administrative Tools 
menu. The Network Access Protection 
settings are made up of three components: 

• System Health Validators (SHV). 

These are used to determine the 
configuration requirements that 
clients must meet and what to 
do in the event that errors arise. 
Longhorn ships with a Validator for 
Windows Vista and XP SP2 clients. 
Other vendors may supply validators 
for their products which would 
be included here. Applications on 
clients, known as System Health 
Agents, communicate with the 
SHVs on the Network Policy Server 
during the compliance check process. 

• System Health Validator Templates. 

These are pre-built pages used by 
Network Policies to specify if one or 
all SHVs checks must be successfully 


To configure the Windows Security Health 
Validator, double click on the policy in the 
System Health Validators node under the 
Network Access Protection node in the 
Network Policy Server console. Performing this 
action will open the Windows Security Health 
Validator properties dialog box shown below. 





























The basic policy dialog allows you to 
configure the system health validator and 
how Network Access Protection behaves in 
the event of an error. These errors include: 

• Policy servers are unreachable 

• Remediation servers are 
unreachable 

• A system health agent fails 

• A NAP server fails 

• Any other error occurs 

Although configuring these settings allows 
you to ensure strict health requirements on 
your network, in some cases you might wish 
to relax these restrictions, such as when a 
policy server goes offline. Otherwise you may 
find that all of your clients end up on the 
remediation network. 

To configure the system health validator 
program, click on Configure on the 
Windows Security Health Validator 
Properties dialog. This brings up the standard 
Windows Security Health Validator, shown in 
the exhibit. This allows you to set the checks 
on client health that must be passed for the 
client to be deemed compliant. 

When configuring the validator, all or some 
of the options can be set. The options are as 
follows: 

• A firewall is enabled for all network 
connections. This firewall can be the Windows 
Firewall or a third-party firewall program. 

The firewall must apply to all connections. If a 
computer has the firewall applied to its wireless 
connection, but not its LAN connection, it will 
be deemed non-compliant. Remediation may 
require manual reconfiguration. 

•Virus protection is active.An anti-virus program 
recognized by Windows is installed and active. If 
a computer has an anti-virus program installed, 
but deactivated, it will not pass this check. 

•Virus protection is up to date.This option is only 
available if the antivirus application condition is 
enabled. 


• An anti-spyware application is on. Similar to 
anti-virus, the application must be installed and 
active. 

• Anti-spyware is up to date. Only available if the 
anti-spyware application condition is enabled. 

• Automatic updating is enabled. The Windows 
client computer is configured for automatic 
updates. Updates can be retrieved from the 
Windows Update or aWSUS server. 

• Quarantine clients that do not have all available 
security updates installed. This option can only 
be successfully enforced if aWSUS server is 
defined using group policy. The policy will use 
the list of approved updates located on aWSUS 













































It IS necessary to set up the network 

policy server to make network access 
protection work 


server. This allows administrators to deny the 
deployment of updates until they are fully tested 
without having to worry that NAP clients will be 
deemed non-compliant.The four settings for this 
check are: 

• All critical priority deployed updates are 
installed 

• All critical and important priority deployed 
updates are installed 

• All critical, important and moderate priority 
deployed updates are installed 

• All critical, important, moderate and low 
priority deployed updates are installed 

• All deployed updates are installed 


Health Validators are installed, you can extend 
these templates.These templates are used to specify 
whether a client must pass all, some, or none of the 
SHV tests. Each SHV might comprise a group of 
individual requirements. All requirements must be 
met for a pass on the individual SHV. For example, 
with the SHV configured in the earlier section, 
if the virus definitions were not up to date, the 
computer would fail the entire SHV. 

It is possible to create multiple templates.You select 
a specific template to apply when creating the 
Network Policy on the Network Policy Server.You 
might wish to do this to force VPN clients to adhere 


The list ofWindows XP SP2 client settings 
only differs from the Windows Vista settings 
in that it is not possible to have the Spyware 
Protection settings checked on Windows 
XP SP2 computers. 

Third party validators are likely to be very 
similar to the Windows Security Health 
Validator included by default with Windows 
Longhorn Server and are edited in the 
same manner.You can configure as many 
validators as you have access to, but it is 
the validator template that determines how 
Network Policy uses them. 

Configuring System Health 
Validator Templates 

System Health Validator Templates, shown 
at right, allow you to extend the conditions 
under which a client computer is deemed 
healthy or unhealthy. By default, only 
the Windows Security Health Validator, 
covered above, is available. As more System 

































to stricter criteria than you do clients connecting 
via Wireless Access Points or those that obtain their 
network address via DHCP. 

Configuring Remediation 
Server Groups 

A remediation server group is a collection of 
network addresses (IPv4, IPv6 or FQDN) to which 
non-compliant clients can connect to. It is similar in 
a way to a screened subnet and some administrators 
may configure their networks so that remediation 
servers are isolated from the rest of the network by 
a firewall. To create a remediation server group, right 
click on the Remediation Server Groups node in the 
Network Policy Server Console and select New. This 
will start a wizard that allows you to add the addresses 
of all servers in a particular remediation group. It 
is possible to create multiple remediation groups. 

A different remediation group can be used by each 
Network Policy on the Network Policy Server. 

Overview of Access to NAP networks 

It is necessary to set up the network policy server 
to make network access protection work. Network 
Policy Server is the replacement technology for 
Windows Server 2003’s Internet Authentication 
Service (IAS) and like IAS is an implementation of 
RADIUS. When a client connects it is subjected 


to a policy. During policy setup you 
are specify a particular system health 
validator template and remediation 
server group. 

Configuring Network Policies, like 
configuring other types of RADIUS 
policies is an involved process and 
won’t be covered in detail here. In 
short, the Network Policy uses the 
System Health Validator Template 
to determine how the client will 
be treated.You can configure the 
Network Policy to allow a client 
that fails the System Health Validator 
Template test to have access to the 
organizational network, simply 
logging the non-compliant state 
so that support personnel can take 
action at a later date. Alternatively, 
you can configure the policy to limit 
clients that fail the System Health 
Validator test so that they can only access hosts in a 
configured Remediation Server Group. 

There is also an option within the Network Policy 
that can force clients that fail the health check to 
then attempt to become compliant. This forced 
compliance works through the system health agent, 
which is installed on the client. It is also possible to 
configure Network Policies so that client computers 
are directed to a web page on a server within the 
remediation server group. A typical Web page might 
describe how users with problematic computers can 
send a remote assistance invitation to support staff. 

Summary 

Having client access to the LAN mediated by a 
RADIUS server policy is a significant departure 
from the traditional way of connecting to a 
network. Unlike tools such as the Microsoft 
Baseline Security Analyzer (MBSA), which will 
also provide information on non-compliant 
clients, a big advantage of NAP is through system 
health agents, most clients can be forced to update 
through the Network Policy, something difficult to 
do with the MBSA tool. 

For more information on NAP, 
visit Microsoft's NAP website 
http://www.microsoft.com/nap 
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Set up a replicated data-publication system 

Windows Server 2003 R2 


its clients is installing customized OS builds on note¬ 
books, desktops, and servers. To support this service, 
the company has a software distribution system that 
keeps copies of CD-ROM and DVD ISO images at 
each office. When a build needs to be updated, the 
home office in Houston changes the master copy, 
creates a new image of it, and copies the image to the 
distribution system's local share at each location. 

FRS keeps the network shares at the Fort Worth 
and Sweetwater branches synchronized. FRS is so 
troublesome, however, that Emily, the distribution 
system administrator, planned to use Robocopy 
instead. However, with the availability of Windows 
2003 R2, she scrapped those plans and will use 
DFSR. 

Prep Work 

Before Emily can start using DFSR, her IT colleagues 
need to upgrade the company's AD schema to Win¬ 
dows 2003 R2 by running the Adprep utility. This 
schema upgrade, or extension, is necessary to sup¬ 
port DFSR's required classes and attributes. (See the 
x86\setup\CMPNENTS\R2\ADPREP\SCH31 .LDF 
file on the distribution media for more information 
about the schema changes.) 

While she waits for the schema extension, Emily 
must upgrade her distribution servers to R2. If you're 
already running Windows 2003 and you've installed 
Service Pack 1 (SP1), you'll find R2 installation a snap. 
(For instructions on installing R2, see the Web-exclu- 
sive article "How do I install Windows Server 2003 
R2 on a Windows 2003 Service Pack 1 installation?" 
March 2006, InstantDoc I D 49716. ) Then, she needs 
to install DFS from the Windows Components section 
of the Add/Remove Programs Control Panel applet. 

Like AD replication, DFSR is designed for a "read 
mostly" environment. Because the replication engine 
is loosely coupled, updates to a file on one member 
of a replica set don't lock that file on other members, 
nor are the updates transmitted immediately. There¬ 
fore, DFSR isn't suited for a highly active, update-rich 
system. You might work around this technical restric¬ 
tion by using business processes to restrict updates 
of a particular set of files to one replica member; file 
locking will then ensure that changes are made in a 
sustainable manner. 


Namespace Considerations 

After the schema and distribution servers are 
upgraded, Emily chooses to remove, restructure, 
and rebuild her DFS namespace to a simpler con¬ 
figuration than the current production version. She 
isn't required to rebuild her namespace; previous 
versions are compatible with R2 and can take advan¬ 
tage of new features when the participating servers 
are upgraded. Because she has to upgrade all of her 
servers, however, she takes advantage of this oppor¬ 
tunity to restructure the DFS Namespace's logical 
configuration. 

Before rebuilding her namespace on R2, she has 
to install the Microsoft Management Console (MMC) 
DFS Management snap-in. (If she's going to use the 
snap-in on a server other than the namespace serv¬ 
ers—say, a management server—she first needs to 
upgrade that server to R2.) She goes to the Windows 
Components section of the Add/Remove Programs 
Control Panel applet, chooses Distributed File Sys¬ 
tem, clicks the Details button, then selects the DFS 
Management and DFS Replication Diagnostic com¬ 
ponents and clicks OK. 

On an XP client, upgrading to R2 isn't as straight¬ 
forward: R2 is on two CD-ROMs, and if you try 
to install the administration tools using the usual 
adminpak.msi package, you'll go awry. Remember 
that the first R2 CD-ROM is actually Windows 2003 
SP1, so the administrative pack on that disk simply 
installs the Windows 2003 administration tools. Emily 
needs to go to the \admin folder on the second CD- 
ROM, where she'll find four unhelpfully named files. 
She needs only two of them: Windowsxp-MMC30- 
KB907265-X86.exe is a hotfix that upgrades MMC to 
MMC 3.0, and fsrmgmt.exe installs the File Server 
Resource Manager, Print Management, and DFS 
Management snap-ins. 
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SOLUTION STEPS: 


I. Do prep work, including 
installing Windows 2003 
R2 and upgrading AD 
schema. 


2. Build a namespace. 

3. Add a namespace server. 

4. Add folder targets. 

5. Set up DFSR. 

6. Monitor replication by 
running reports. 


Build a Namespace 


After the AD schema and Emily's distribution servers 
are upgraded, she's ready to build her namespace. 
First, she takes down her existing namespace using 
either the new DFS Management snap-in or the 
legacy DFS administrative tool. Because she has 
FRS configured to replicate member-server data, it's 


best to use the legacy tool to disable FRS replication. 
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Urn ®Fi m WORK TOGETHER 

T o understand some of the advantages of DFS and Active Directory (AD) integration, it helps to know how 
the two work together. AD stores information about the namespace servers and the namespace configura¬ 
tion as BLOBs in the domain partition at CN=Dfs-Configuration,CN=System,DC=c/ofi7a/>7,DC=gener/c top-level domain, 
which ensures that any client that can reach a domain controller (DC) can get information on a domain-based 
DFS namespace. Because DFS uses site information to find the nearest DFS replica, sites and subnets must be 
properly configured in AD before you configure DFS. 

When a Windows client attempts to access a DFS folder, the client’s Netlogon service first queries AD to 
determine the names of the namespace servers. Then, according to the AD site topology, Netlogon tries to con¬ 
tact the closest namespace server. A Windows Server 2003 improvement ensures that if no namespace server 
is available in the client’s site, the client chooses the next-closest offsite server. This capability isn’t enabled by 
default; however, you must run Dfsutil with the /SiteCosting switch to turn it on. 

After the client has contacted the namespace server and the server has returned the namespace’s folder 
structure, the user navigates through the folder structure to a folder target. The namespace server provides the 
referral to the network share to the client, which then establishes a session with the destination server just as if 
you’d typed a Net Use command. If multiple folder targets are enabled for the folder of interest, the client again 
uses the AD site topology to choose the closest network share. 

You must not change the namespace configuration without letting AD know. If you have to change a DFS 
server’s configuration—if you need to rename a server that is a root or folder target, for example—remove the 
server from the namespace first. Because server configuration changes aren’t communicated to AD, AD con¬ 
tinues to provide referrals to the old name. If you have no choice but to change a DFS server’s configuration 
without removing it from the namespace (for example, if a server dies and isn’t returned to service with the same 
name), run Dfsutil with the /clean parameter to remove the obsolete reference. 

InstantDoc ID 95224 


She then removes the root targets 
by using either the snap-in or the 
legacy tool. 

Next, she builds her new 
namespace. Because HardwareTX 
is a small company, its two domain 
controllers (DCs)—HoustonDC 
and FortWorthDataDC—will also 
be namespace servers for the new 
namespace. HoustonData, Fort¬ 
WorthDataDC, and Sweetwater- 
Data servers will provide file shares 
as link targets. 

To build the new namespace, 

Emily uses the new DFS Man¬ 
agement console. The left pane 
displays the familiar console tree 
that shows the elements you can 
manage. The right pane is the new 
MMC 3.0 Actions pane, which con¬ 
tains the same choices as the right- 
click context menu. The center 
detail pane displays two step-by-step guides 
that help the administrator configure DFS. It 
also displays illustrations of what namespaces 
and replication groups look like and provides 


links to the DFS Web site and newsgroups. 

To create her namespace, Emily could 
right-click the Namespaces node and choose 
New Namespace. Because she's trying out new 


features of the MMC 3.0 console, however, she 
uses the Actions pane instead. Clicking New 
Namespace launches the New Namespace 
Wizard. The wizard's Steps pane shows how 
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many steps she has to complete and which 
step she's on and lets her return to an earlier 
step by clicking that step rather than clicking 
Back numerous times. 

Emily enters the HoustonDC as the server 
in the Namespace Server step and selects Next. 
If the selected server doesn't have the DFS ser¬ 
vice running, the wizard automatically starts 
the service. 

In the next step, she enters a name for the 
namespace. The wizard creates the DFS folder 
structure on the server and sets the share per¬ 
missions. Remember that this isn't the share 
for the servers that hold the data to be pub¬ 
lished in the namespace—it's the share for the 
namespace itself. Since the folder and share 
are managed by the DFS service, it's best to 
click Next and take the default of All users have 
read-only permissions. This default prevents 
two people from simultaneously updating the 
same file on different replica members. 

The next step asks whether Emily wants 
to create a domain-based namespace or a 
standalone namespace. She creates a domain- 
based namespace. Unless you have a special 
requirement for a standalone namespace on a 
single server, you should choose the domain- 
based configuration because it provides seal- 
ability and fault tolerance that a standalone 
namespace can't. (The sidebar "How DFS and 
AD Work Together" details the advantages of a 
domain-based namespace.) 


The next step presents Emily with a sum¬ 
mary of her choices. Clicking Create triggers 
the namespace creation process. Individual 
steps are shown and confirmed when com¬ 
plete, and when the entire process is finished 
she gets a clear confirmation. 

Add a Namespace Server 

The Houston server is now a single point of 
failure for the entire namespace. Adding the 
Fort Worth server as a second namespace 
server provides fault tolerance in case the first 
server becomes unavailable. Because Fort 
Worth is closer than Houston to Sweetwater, 
the Fort Worth server also provides both local 
and Sweetwater users faster access to the 
namespace. 

To add a namespace server, Emily clicks 
\\hardwaretx.net\Software in the left pane of 
the DFS Management snap-in, then selects 
Add Namespace Server in the right pane. She 
enters FORTWORTHDATADC, the name of 
her server, in the search dialog box to complete 
the addition. By clicking the Namespace Serv¬ 
ers tab in the middle pane, she can see both 
of the DCs that support the namespace. The 
actions available in the right pane make it easy 
to delegate permissions on the namespace and 
view or modify properties of the namespace or 
a namespace server. 



Add Folder 
Targets 

To make her working 
namespace useful, Emily 
needs to add folders to 
it. She wants to add just 
one folder, ISOs, to the 
namespace. She clicks the 
\\hardwaretx.net\Soft- 
ware namespace, then 
clicks New Folder in the 
Actions pane. In the New 
Folder dialog box, she 
types the folder name. 
Clicking Add to add a 
folder target—the real 
server or servers hosting 
the data—lets her enter a 
server name, examine the 
server's existing shares, 
add a share if necessary, 
and even configure the 


share permissions. The ability to configure the 
link servers in the console is a big improve¬ 
ment over the earlier version of DFS. She adds 
the ISO network shares on her four servers as 
folder targets in her new namespace, as Figure 
1 shows. 

Because she adds more than one folder 
target, the DFS Management console assumes 
she wants to share data among her four folder 
targets and prompts her to set up a DFSR repli¬ 
cation group. She chooses Yes, which launches 
the Replicate Folder Wizard. 


Set Up DFS Replication 

Because Emily implicitly chose to configure 
replication by immediately adding a second 
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folder target to her namespace, the Replicate 
Folder Wizard prepopulates many fields with 
information from the folder. Clicking Next from 
the first screen causes the wizard to determine 
which folders are available to be members of 


the replica set. Any servers that contain folder 
targets and don't run R2 are ineligible to join 
the replica set. 

Clicking Next again takes Emily to the 
Primary Folder Target step, where she chooses 


the folder that will initially be authoritative for 
the replica set. Designating a primary folder 
means that if there's any content already in 
the replica set, the contents of the primary 
folder will override the preexisting content 
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DFS Replication Health 
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Figure 5: HTML report about initial replication 


in the replica set. Files that don't exist in the 
primary folder are removed from view. Those 
files aren't deleted, but are moved to a hidden 
system folder named DfsrPrivate\PreExisting 
under the folder root, as a DFSR log message 
tells you in clear English. (Concise, informative 
logging is one of the much-needed improve¬ 
ments DFSR offers over FRS.) 

In the Topology Selection step, which 
Figure 2 shows, Emily can choose from a hub- 
and-spoke replication topology, a full mesh 
topology, or build her own custom topology. 
A hub and spoke topology (where multiple 
branches replicate with one or more central¬ 
ized servers) is more scalable, but a mesh 
topology is highly fault tolerant. In a mesh 
topology, each node is connected directly to 
the other nodes; consequently, in larger con¬ 
figurations a mesh topology can generate a lot 
of overhead for the servers. Since she has only 
four servers' content to replicate, however, 
Emily chooses the mesh topology. 

The next step lets Emily tailor the amount of 
bandwidth that replication consumes. Because 
she doesn't need to replicate data on less than 
24 hours notice and the company's WAN cir¬ 
cuits are only lightly used after working hours, 
she decides to replicate with a bandwidth of 
64Kbps—a trickle—during the day and with 
full bandwidth between 8 p.m. and 7 a.m. She 
clicks the Days and Times button, then clicks 
Edit Schedule. In the Edit Schedule dialog box, 
which Figure 3 shows, she chooses a day and 
time by dragging the cursor over a block of 
hours, then selects a bandwidth to use during 
that period and clicks Add. The final screen 


of the wiz¬ 
ard appears, 
and with the 
configuration 
complete, she 
reviews her 
choices by click¬ 
ing the Create 
button to cre¬ 
ate the replica¬ 
tion group and 
schedule. The 
Errors tab pro¬ 
vides details on 
any errors in her 
configuration. 

Figure 4 
shows the DFS 
Management 
snap-in focused on the ISOs replication group 
Emily created. In the Actions pane, she can 
add members, change or verify the topol¬ 
ogy, delegate permissions, edit the replication 
schedule, and pretty much alter anything she 
initially configured. The Connections tab in the 
middle pane provides details of the replication 
connections, which were previously available 
only through the complicated Ultrasound util¬ 
ity for monitoring FRS. 

Replication might not begin immediately, 
regardless of the schedule, because DFSR 
has preliminary work to do. It must create 
and populate a staging directory with files 
to be replicated, and it must establish both 
inbound and outbound connections with its 
other replica set members. The amount of 


time it takes to complete these steps depends 
on the amount of data on the primary origi¬ 
nating share and on how much of that data 
already exists on the replica members. When 
it's ready, DFSR begins replicating data. 

Run Reports 

Emily wants to create a diagnostic report to 
see how the initial replication is coming along, 
so she clicks Create Diagnostic Report in the 
Actions pane. She can choose to look at disk 
space used, backlogged transactions and files, 
and replication efficiency, but accepts the 
default settings and gets the HTML report 
shown in Figure 5. The report reveals that she 
still has a little troubleshooting to do, because 
two servers aren't reporting and the others are 
low on disk space. 

Not Your Father’s DFS 

Windows 2003 R2’s DFS Namespaces and 
DFSR service represent major improvements 
in all aspects of DFS. Setting up and maintain¬ 
ing a namespace are much easier than they've 
ever been. If limitations in DFS have prevented 
you from using it in the past, it's time to revisit 
this capability. ^ 

InstantDoc I D 95223 

Sean Deuby 

(sdeuby@windowsitpro.com) is a contributing editor for 
Windows IT Pro and a senior member of the directory 
services team at Intel. He is the author of Windows 2000 
Server: Planning and Migration (Macmillan). 



Figure 4: DFS Management console showing newly created replication group 
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Internet Explorer 7.0 



UP! 



0.1 

IAP 


TIONS 


PROBLEM: 

Deploying and configuring 
Internet Explorer (IE) 7.0 


SOLUTION: 

If your organization 
doesn’t subscribe to 
Microsoft’s automatic 
updates, manually 
download IE 7.0 and 
deploy it; then, use 
the Internet Explorer 
Administration Kit 
(IEAK) or Group Policy 
for configuration and 
management. 


WHAT YOU NEED: 

Windows XP or Windows 
Server 2003; IE 7.0 


DIFFICULTY: 

••ooo 


M icrosoft Internet Explorer (IE) 7.0 is a 
core component of Windows Vista and 
is available for the latest versions of 
Windows XP and Windows Server 2003. This newest 
version of IE includes several cool new features, such 
as a streamlined interface, improved search integra¬ 
tion, tabbed browsing, RSS feed compatibility, and 
advanced printing capabilities (e.g., IE 7.0 reformats 
printed output to match the paper size rather than 
just cutting off text). But one of the biggest improve¬ 
ments is IE 7.0 ; s enhanced security. The browser 
offers ActiveX component restrictions, phishing pro¬ 
tection to help determine when a Web site might be 
trying to obtain personal information, and improved 
security status highlighting that changes the address 
bar to green for high-assurance Web sites. 

These security enhancements make IE 7.0 valu¬ 
able in most environments. Therefore Microsoft is 
pushing the browser as a high-priority update. So if 
your organization lets clients automatically update 
programs, you might not need to deploy IE 7.0. Dur¬ 
ing the automatic update, the end user sees the dia¬ 
log box that Figure 1 shows. The user must click Ask 
Me Later, Don't Install, or Install. If the user chooses 
to not install the update, you can manually deploy 
it later. (For information about preventing auto¬ 
matic updates, see the sidebar "Preventing Internet 
Explorer 7.0 Automatic Deployment," page 40.) 


Deploying Internet 
Explorer 7.0 

If IE 7.0 isn't automatically deployed in your organiza¬ 
tion, you can download the browser from Microsoft's 
Web site (http://www.microsoft.com/windows/ie/ 
downloads/defaultmspx). IE 7.0 is available for Win¬ 
dows XP Professional x64 Edition, Windows XP SP2, 
and various versions of Windows Server 2003 (e.g., 



by John Savill 

Service Pack 1—SP1, x64, IA-64). Several installation 
methods are available. The end user or administra¬ 
tor can click a link, you can run a script from the 
downloaded file or a customized package, or you 
can use Windows Server Update Services (WSUS) or 
Microsoft Systems Management Server (SMS) 2003 to 
deploy the browser. In addition, users can manually 
install IE 7.0 from a network share or CD-ROM. 

The IE 7.0 deployment file for 32-bit XP environ¬ 
ments (i.e., IE7-WindowsXP-x86-enu.exe) has two 
switches that are useful for automated deployments. 
The -passive switch shows the progress of the IE 7.0 
installation but doesn't prompt the user for any infor¬ 
mation. The -quiet switch doesn't display any dialog 
boxes. 

For organizations that use WSUS, IE 7.0 appears as 
a 15MB update rollup option. You can use standard 
WSUS procedures to configure IE 7.0 deployment. 
The browser will then deploy automatically and users 
can decide whether to install, not install, or postpone 
installation. 

If your organization uses SMS, the Inventory Tool 
for Microsoft Updates (ITMU) makes IE 7.0 available 
as part of the standard Microsoft Software Update 
Services (SUS) functionality. You can use SMS's 
reboot features to control the deployment's system 
restart requirements rather than using the IE 7.0 
installation options. You can also build a package of 
the downloaded IE 7.0 executable file with various 
switches to create a silent installation. Alternatively, 
you can use the Internet Explorer Administration Kit 
(IEAK) to create a customized IE 7.0 package for a 
more controlled deployment. 

Internet Explorer Administration Kit. The 
IEAK 7.0 is available from http://www.microsoft 
.com/technet/prodtechnol/ie/ieak7/default.mspx 
and comprises two main components, the Internet 
Explorer Customization Wizard and the IEAK Profile 
Manager. During installation you're prompted for how 
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Manager. During installation you're prompted for 
how you plan to use the tool (e.g., in a corporate envi¬ 
ronment, as an ISP). For the purposes of this article, 
let's assume a corporate environment. 

To use the IEAK to create a customized IE 7.0 
installation file, start the Internet Explorer Customiza¬ 
tion Wizard. From the Start menu, select Programs, 
Microsoft IEAK 7, Internet Explorer Customization 
Wizard. The first step is to gather the required infor¬ 
mation related to deploying IE 7.0; click Next in the 
wizard's introduction dialog box to get started. In the 
File Locations dialog box that opens, browse to the 
folder where you want to create the deployment build. 
By default, this location is C:\builds\todays date. The 
Advanced Options button that Figure 2 shows lets you 
configure automatic downloading of components and 
specify where to download components during the 
build process. After you set these options, click Next. 

A drop-down list displays that lets you select the 
target client platform, which controls the version of IE 
you need to deploy (e.g., Vista—x86-based, XP SP2). 


Next, select the language to use (the default is Eng¬ 
lish). The next dialog box that opens lets you choose 
the destination media type for the customization: a 
file, an autorun CD-ROM, or the configuration-only 
information to use for clients that are already running 
IE 7.0. (The configuration-only option is for environ¬ 
ments that don't use Active Directory—AD—and 
therefore can't use Group Policy.) 

The wizard then displays a list of features that 
require customization, as Figure 3 shows. If you'll use 
Group Policy, you need to select only a few features. 
Select the features you want to customize, and click 
Next. 

Now you must select where to download com¬ 
ponents from. Click Next in the introduction dialog 
box. The wizard will connect to Microsoft's Web site 
and check the latest version available. If you've previ¬ 
ously run the IEAK and already have a downloaded 
build, the wizard will also show the version on your 
machine. If you don't have a local build, or a newer 
version exists, click Synchronize to download the lat¬ 
est version to your machine, 
then click Next. 

You can add as many as 
10 custom components to 
include with an IE 7.0 deploy¬ 
ment. You can configure these 
components to run before IE 
installation, after installation, 
or when the system restarts 
after installation. After you 
add the custom components 
you want, click Next. 

The next step in creating 
a customized installation is to 
configure the malicious soft¬ 
ware removal tool to run before 
IE 7.0 installation and to allow 
the updates to install. You also 
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SOLUTION STEPS: 


I. Determine whether your 
organization automatically 
deploys Internet Explorer 
(IE) 7.0. 


2. Download IE 7.0 from 
Microsoft’s Web site. 


3. If desired, use the Inter¬ 
net Explorer Administration 
Kit (IEAK) to create a cus¬ 
tomized IE 70 deployment 
package. 

4. Use Windows Server 
Update Services (WSUS) 
or Microsoft Systems Man¬ 
agement Server (SMS) to 
deploy IE 7.0. 

5. Use the IEAK or Group 
Policy to configure and 
manage IE 7.0. 
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The destination folder is where the customized packages will be placed when the wizard is finished, If the 
folder you specify does not exist, it will be created. 


Destination folder: 

c:\builds\11062006 | Browse 


- If you've created a previous IEAK package in this location, the settings from that package will be the 
default settings for this package. 

- You may also specify an existing ,INS file to read settings from by using the 'Advanced Options' button 
below. This file will be used to read from, but will not be written to. 

- The 'Advanced Options' button also allows you to specify a download folder, AVS compares the components 
on the Internet with those in the component download folder. Synchronizing components will make AVS 
download to this directory. 


Advanced Options,,, 


<Back || Next > j | Cancel j | Help 


Figure 2: Configuring automatic downloading of IE 7.0 components 



need to enable the option to let users configure 
the default browser behavior. Finally, you need 
to specify whether to store uninstallation data 
on the client machines (which uses valuable 
disk space). 

Depending on the selected options for the 
features to be customized, you might need 

Preventing 
Internet 
Explorer 7.0 
Automatic 
Deployment 

C ompanies that rely on Microsoft’s built- 
in Automatic Update functionality to 
keep their organization up-to-date with fixes 
might still want to delay Internet Explorer (IE) 
7.0 deployment (e.g., if they use Web sites 
that aren’t tested with IE 7.0 or don’t work 
with IE 70). The Internet Explorer 7 Blocker 
Toolkit lets you stop automatic deployment 
of IE 7.0. You can download the tool at 
http://www.microsoft.com/downloads/details 
.aspx?familyid=45l6a6f7-5d44-482b-9dbd- 
869b4a90l59c&displaylang=en. The tool runs 
as a Group Policy administrative template or as 
a script. Both options reset the registry sub¬ 
key HKEY_LOCAL_MACHINE\SOFTWARE\ 
Microsoft\lnternet Explorer\Setup\7.0\DoNot 
AllowlE70 to I. Organizations that use Active 
Directory (AD) and Group Policy can use 
the administrative template; organizations 
that don’t have (or don’t want to use) Group 
Policy can run the script. The blocker also 
stops deployment of the browser when you 
visit the Microsoft Windows Update Web site 
and select the Express mode for installation 
updates. 

The blocker works only for IE 70 deploy¬ 
ments that run through the Automatic Update 
Client and communicate directly with Micro¬ 
soft’s update servers. Even if the blocker is 
enabled, other deployment methods still func¬ 
tion—for example, Windows Server Update 
Services (WSUS) and Microsoft Systems 
Management Server (SMS) still deploy. 

InstantDoc ID 95446 


to configure whether the user is prompted 
for input during installation and whether the 
system reboots automatically. Additional cus¬ 
tomization options include program settings 
for add-ins and HTML editing programs. Some 
of the options that are configurable as part 
of Group Policy are also available as settings. 
Note that these preferences are set during 
installation configuration and aren't reapplied 
if the user modifies them, which is an advan¬ 
tage of using Group Policy for customization. 


After you configure all the options to create 
your customized package, you can use SMS or 
a third-party solution to deploy the package to 
clients. Depending on the options you selected, 
users might see IE updates downloading and 
might need to click to accept various validation 
screens. After you use the Internet Explorer 
Customization Wizard to create a package, you 
can use the IEAK Profile Manager to edit the 
package's .ins file to modify settings and create 
new profiles as necessary, as Figure 4 shows. 
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© IE 7.0 




server, or you can edit Group Policy from an 
XP workstation that has IE 7.0 installed. 

To see new Group Policy settings for IE 
7.0, open the file in Notepad or another text 
editing application and search for the text 
!!SUPPORTED_IE7. You'll also notice some 
!!SUPPORTED_IE7Vista entries; these set¬ 
tings are for IE 7.0 running on Vista and relate 
to protected-mode operation, which stops 
elevation-of-privilege type attacks. 

When you view a policy in the Group 
Policy Object Editor window, which Figure 5 
shows, the description text shows whether the 
policy is IE 7.0 or above. You might want to 
spend some time familiarizing yourself with 
the Group Policy areas so that you understand 
how IE 7.0's new functionality will affect your 
organization. You need to know which poli¬ 
cies are available to configure and control new 
areas, and you need to be aware of improved 
methods for controlling existing functionality. 

One of the new functionality areas is RSS 
Feeds. You can use Group Policy to configure 
how feeds are discovered, which stops IE from 
highlighting and advertising whether an RSS 
feed is available on a Web page. In addition, 
you can restrict users from subscribing to or 
unsubscribing from feeds, as well as block 
users from downloading enclosures (i.e., files 
attached as part of a feed). Finally, several 
core features have a Group Policy entry on the 
IE administrative template. For example, you 
can enable phishing protection to highlight 
Web sites that might be trying to fraudulently 
obtain information. 


Configuring Internet 
Explorer 7.0 

Deploying IE 7.0 to users is only half the battle. 
You also must ensure that users know how to 
use the browser and that your administrative 
configurations create an optimal end-user 
experience. The IEAK is useful for creating a 
deployment package with initial settings and 
a degree of lockdown. However, the IEAK 
doesn't let you make configuration changes 
after the browser deploys. In an environment 
that doesn't use AD, using the IEAK for ini¬ 
tial configuration is acceptable—with later 
changes made through local policy pushes or 
registry changes. But in environments that use 
AD, Group Policy is preferable for configura¬ 
tion management. 


An updated Group Policy template for 
IE 7.0 is installed automatically during IE 
7.0 installation. The IE Client Side Extension 
(CSE) that's responsible for processing Group 
Policy settings related to the browser refreshes 
constantly and corrects changes that conflict 
with Group Policy. IE 7.0 settings that were 
previously preferences (i.e., registry value set¬ 
tings that aren't in standard Group Policy areas 
and are considered tattooed on the client com¬ 
puter) are now true policies. 

Perhaps you don't want to install IE 7.0 on 
your servers to obtain the updated IE configu¬ 
ration file (i.e., inetres.adm). Two alternatives 
are available. You can copy the file from the 
C:\Windows\inf folder on a client with IE 7.0 
installed to the C:\Windows\inf folder on the 


Beyond Deployment 

IE 7.0 has many security perks and useful fea¬ 
tures that make the browser valuable for most 
organizations. Unless your enterprise sub¬ 
scribes to Microsoft's automatic updates, you 
need to plan for IE 7.0 deployment. However, 
simply deploying the browser isn't enough. To 
take full advantage of IE 7.0's features, you also 
must plan for its long-term configuration and 
management. ^ 
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I n many organizations, public key infrastructure (PI<3) 
services (i.e., certificate services) are commonly used 
IT infrastructure building blocks. The certificate ser¬ 
vices bundled in Windows server OSs can generate a wide 
range of X.509-formatted digital certificates without incur¬ 
ring additional licensing costs. Organizations can use these 
certificates to secure mission-critical applications such as 
email exchanges, Web communications, administrators' 
and users' Windows logon processes, and code signing of 
inhouse-developed code. 

In Windows Longhorn Server, the next version of the 
server OS that's due for release sometime in 2007, Microsoft 
includes the newest version of its enterprise PKI software. In 
this article I highlight the most important Longhorn Server 
PKI enhancements and explain how organizations can use 
these features to their advantage. Longhorn Server's PKI has 
the most features of any Windows PKI version so far. In addi¬ 
tion, Microsoft made installing Windows Certificate Services 
easier than ever in Longhorn Server. 


Longhorn PKI Components 

When you install Longhorn Server's Certificate Services, you'll 
immediately notice that Control Panel no longer includes 
an Add or Remove Programs applet. You can use Longhorn 
Server's Add Roles Wizard to install Certificate Services. This 
wizard is accessible from the Initial Configuration Tasks 
screen, which opens after you first log on to a freshly installed 


Table 1: 

Comparison of Longhorn Server Standard Edition and 
Enterprise Edition PKI features 

Feature 

Standard Edition 

Enterprise Edition 


Setup with role wizards 


Enterprise PKI tool (PKIview) 


Restricted enrollment agents 
Restricted certificate managers 


PKI-specific performance 
counters 


SCEP support 



OCSP support 


Cryptography API: Next 
Generation (CNG) support 


Version 3 (V3) certificate 
templates 


Enhanced smart card support 


system, and the Server Manager screen, which you can use 
at any time to configure server settings. Longhorn Server's 
PKI functionality is referred to as Active Directory Certificate 
Server in the Add Roles Wizard, as Web Figure 1 (http://www 
.windowsitpro.com, InstantDoc I D 95172) , shows. Longhorn 
Server's Server Manager also includes a wizard to remove 
Certificate Services, called the Remove Roles Wizard. 

The new Server Manager and its associated wizards 
are the results of Microsoft's engineering efforts to make 
Windows a more componentized OS. When you install the 
Active Directory (AD) Certificate Server role, you'll notice 
that it comprises four optional subcomponents: the Certi¬ 
fication Authority, Certificate Authority Web Enrollment, 
Simple Certificate Enrollment Protocol (SCEP), and Online 
Certificate Status Protocol (OCSP) components. Microsoft 
also refers to these subcomponents as role services. 

The first two components (i.e., Certification Authority 
and Certificate Authority Web Enrollment) were also avail¬ 
able in previous versions of Windows Certificate Services. 
The Certification Authority is Microsoft's certificate and 
revocation list-generation engine; the Certificate Authority 
Web Enrollment is a set of Web pages that lets users use a 
Web interface to enroll for certificates. The SCEP component 
was previously included in both the Windows 2000 Server 
and Windows Server 2003 resource kits. The SCEP allows 
network devices such as routers and switches to easily 
enroll for certificates on a Windows Certification Authority 
(CA). The OCSP component provides 
a new service that wasn't available in 
previous Windows versions. Certificate 
users and applications can use the OCSP 
component to obtain real-time certificate 
status information (e.g., whether a cer¬ 
tificate is still valid or has been revoked). 
Microsoft acquired a company named 
Alacris to obtain the OCSP logic. The 
Longhorn Server OCSP implementation 
is compliant with Request for Comments 
(RFC) 2560. OCSP client-server commu 
nications leverage HTTP and port 80 and 
don't require additional open network 
ports. 

Server Manager's straightforward 
user interface and improved error 
and warning logic help ease the j 
installation, configuration, and 
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removal ofWindows components. For example, 
when you install the Certificate Authority Web 
Enrollment component, if the Microsoft IIS 
Web server isn't already present on the local 
machine, the wizard prompts you to also install 
the IIS Web server role. Previously, administra¬ 
tors needed to ensure that IIS was successfully 
installed before installing the Certificate Author¬ 
ity Web Enrollment component. 

Server Manager also reduces the number of 
required installation steps. A good example of 
this improvement is the Microsoft SCEP com¬ 
ponent installation. In previous Windows ver¬ 
sions, you could add SCEP support after the 
Certificate Services installation by installing 
the SCEP services that were included in the 
resource kit. In Longhorn Server you can use 
one wizard to install the Certificate Services 
and SCEP support. In addition, the SCEP logic 
is bundled with Longhorn Server. To reduce 
support costs and ease Windows administra¬ 
tors' lives, Microsoft included most of the 
utilities that were previously in the resource 
kit. Get used to the idea: Longhorn Server has 
no resource kit! 

Another important change that you need 
to be aware of when you plan to install Long¬ 
horn Server's Certificate Services is that not 
all PKI features are available in Longhorn 
Server Standard Edition. Only the certificate 
services that are bundled with Longhorn 
Server Enterprise Edition are feature-full. 
Table 1, page 43, provides an overview of the 
PKI feature set differences between these 
two Longhorn Server editions. Longhorn 
Server Standard Edition's PKI is adequate for 
organizations with few certificate needs (e.g., 
organizations that need only Secure Sockets 
Layer—SSL—server certificates), but organi¬ 
zations that use certificates to secure impor¬ 
tant mission-critical data and that have many 
PKI-enabled applications need the Longhorn 
Server Enterprise Edition PKI. 

PKI Management 
Enhancements 

A long-awaited PKI management feature is the 
addition of CA-specific performance coun¬ 
ters. These counters are particularly useful 
for monitoring and managing Windows CAs. 
For example, you can use the performance 
counters to create reports on overall CA per¬ 
formance (e.g., number of failed requests, 
average certificate request processing time). 
ISPs or organizations might need such reports 
to illustrate their conformance with service 


For more information see Delegated Enrollment Agents. 
f* Do not restrict enrollment agents 
f* Restrict enrollment agents 

Enrollment agents: 


PKI \RA1 Enrolments 


Certificate T emplates: 

■uinmiuM 


Remove 


Name 

Access 

Add... 

PKI\RA1 users 

Allow 



Deny 


Apply 


Figure 1: CA Properties Enrollment Agents tab 


level agreements (SLAs). 

In Longhorn Server, admin¬ 
istrators can use new counters 
in the revamped Reliability and 
Performance Monitor to moni¬ 
tor their CAs' performance. If 
Certificate Services is installed 
correctly, Longhorn Server Perfor¬ 
mance Monitor includes the fol¬ 
lowing PIC-relevant performance 
counter groups: Certification 
Authority, Certification Authority 
Connections, Database, Database 
Instances, and Database Table- 
Classes. If the OCSP service is 
installed, the OCSP Server and 
OCSP Server Connections coun¬ 
ters are included. 

A solution that provides addi¬ 
tional tools to manage Windows 
Certificate Services is the Microsoft 
Operations Manager (MOM) management 
pack for the CA and OCSP services. Microsoft 
plans to release this management pack to 
coincide with Longhorn Server's release. 

Longhorn Server Certificate Services also 
includes additional administrative delegation 
capabilities. Longhorn Server offers more 
granular control for delegating the PKI enroll¬ 
ment agent and certificate manager roles. In 
Windows Certificate Services an enrollment 
agent is an account that lets a user enroll for 
certificates on other users' behalves. A Win¬ 
dows CA administrator can assign a user the 
right to enroll for certificates on behalf of other 
users by issuing the user a special enrollment 
agent certificate. An example of when you'd 
use enrollment agents is if you wanted to 
allow an HR employee to preload users' smart 
card logon certificates on the users' smart 
cards. Previous Windows PKI versions don't 


let you control on which users' behalves an 
enrollment agent can enroll for a certificate, 
nor can you control the types of certificates 
(e.g., mail encryption, Web authentication) an 
enrollment agent can enroll for on other users' 
behalves. Longhorn Server's CA Properties 
lets you set both restrictions from the Enroll¬ 
ment Agents tab, which Figure 1 shows. 

Longhorn Server includes a similar capa¬ 
bility for certificate managers. Certificate man¬ 
agers are accounts that can approve or deny 
user certificate requests, as well as revoke 
certificates. A Windows CA administrator can 
assign a user the certificate manager role by 
giving the user the Issue and Manage Certifi¬ 
cates permission in the CA Properties security 
settings. In Win2K and Windows 2003, PKI 
CA administrators can control which users 
or groups a Windows account can issue and 
manage certificates for. The Longhorn Server 
PKI adds the capability to control certificate 
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Figure 2: MMC Enterprise PKI snap-in 
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issuance and management for a particular 
certificate manager based on the certificate 
type. For example, in Longhorn Server the CA 
administrator can restrict a certificate manager 
to issue and manage the Web authentication 
certificates for only those users who belong to 
the AD Sales group. You use Longhorn Server's 
CA Properties Certificate Managers tab to con¬ 
trol certificate manager delegation. 

Another useful addition to a CA admin¬ 
istrator's toolset is the Microsoft Manage¬ 
ment Console (MMC) Enterprise PKI snap-in 
(PKIview.msc), which Figure 2, page 44, shows. 
In Windows 2003, the resource kit includes the 
Enterprise PKI viewer, which you must install 
separately. Longhorn Server includes this tool 
by default. CA administrators can use this 
snap-in to easily check the health status of all 
the CAs integrated with their AD environment. 
From the Enterprise PKI viewer you can check 
the validity and currentness of CA certificates, 
certificate revocation lists (CRLs—blacklists 
that contain the serial numbers of bad or 
revoked certificates), CRL distribution points 
(CDPs—locations from which PKI clients can 
download the latest CRLs), and Authority Infor¬ 


mation Access (AIA—locations from which PKI 
clients can download CA certificates). 

Cryptographic Changes 

Windows Certificates Services closely interacts 
with the OS's cryptographic engines. At the 
heart of Windows Vista's (the new Microsoft cli¬ 
ent OS) and Longhorn Server's cryptographic 
operations is a new cryptographic API, called 
Cryptography API: Next Generation (CNG). 
Microsoft will eventually use this new API to 
replace the current Cryptography API (CAPI), 
but in Vista and Longhorn Server the old and 
new APIs coexist—primarily for compatibility 
with legacy applications. The new CNG archi¬ 
tecture is more modular and lets organizations 
easily add their proper cryptographic libraries 
(e.g., custom public key cryptographic librar¬ 
ies) to the Windows OS. For more information 
about the CNG architecture, go to Microsoft's 
CNG Web site (http://msdn2.microsoft.com/ 
en-us/library/aa376210.aspx). 

Thanks to CNG, Longhorn Server's Cer¬ 
tificate Services supports state-of-the-art asym¬ 
metric ciphers such as the Elliptic Curve Digital 
Signature Algorithm (ECDSA) and hashing 
algorithms such as the Secure 
Hash Algorithm (SHA)-256. These 
ciphers are referred to in the indus¬ 
try as Suite B algorithms. Longhorn 
Server's Certificate Services can 
leverage Suite B algorithms to gen¬ 
erate certificates and to secure the 
archival of private keys that are in 
the CA database. For more infor¬ 
mation about these algorithms, go 
to the National Security Agency's 
(NSA's) Suite B Cryptography Web 
site (http://www.nsa.gov/ia/indus- 
try/crypto_suite_b.cfm). 

To enable issuance of certificates 
that leverage Suite B algorithms, 
Longhorn Server's PKI includes 
additions to the certificate template 
properties. Certificate templates are 
blueprints of the different certifi¬ 
cate types that an AD-integrated CA 
(aka enterprise CA) can issue. You 
can use the MMC Certificate Tem¬ 
plates snap-in to manage certificate 
templates. The templates and their 
properties are stored in AD. Long¬ 
horn Server's extended certificate 
templates are referred to as version 
3 (V3) templates. The new template 
properties are on the Cryptography 


and Request Handling tabs in a V3 certificate 
template's properties. Only Longhorn Server 
CAs can issue certificates that are based on 
V3 templates, and only Vista client computers 
and Longhorn Server computers can enroll 
for certificates that are based on V3 templates. 
V3 templates aren't available in the Certificate 
Authority Web Enrollment interface. 

Vista and Longhorn Server also include 
a new common smart card Cryptographic 
Service Provider (CSP) that various smart card 
vendors' smart card subsystems can leverage. 
CSPs are cryptographic libraries that you can 
plug into the CAPI to let the Windows platform 
and its applications perform different types of 
cryptographic operations. The new common 
smart card CSP lets smart card vendors quickly 
and easily plug their smart card software into 
the Windows OS. But not just developers ben¬ 
efit from this technology; users and administra¬ 
tors will experience improved smart card Plug 
and Play (PnP) support. 

Another smart card-related change that 
users and administrators can take advantage of 
in Vista and Longhorn Server is the expanded 
application support. For example, in Vista and 
Longhorn Server the Encrypting File System 
(EFS) can leverage smart cards to securely 
store a user's EFS private key. The EFS is an 
NTFS-based file encryption mechanism that 
Microsoft first introduced in Win2K. For more 
information about EFS in Vista and Long¬ 
horn Server, see "Vista and Longhorn Promise 
Enticing EFS Enhancements," November 2006, 
InstantDoc ID 93498. 

Fundamental Changes 

Although Microsoft made fewer and less vis¬ 
ible changes to Certificates Services in Long¬ 
horn Server than in Windows 2003, these 
changes are no less interesting or important. 
For example, the new cryptographic architec¬ 
ture (i.e., CNG) lets Windows Certificate Ser¬ 
vices support state-of-the-art cryptography 
and lets organizations embed their proper 
cryptographic libraries. Longhorn Server 
Certificate Services also includes signifi¬ 
cant management enhancements. Although 
Microsoft doesn't plan to support upgrades 
from a Win2K or Windows NT 4.0 PKI, the 
company will support Windows 2003 PKI to 
Longhorn Server PKI upgrades. The benefits 
of Longhorn Server's improved PKI will make 
the upgrade well worth the effort for many 
organizations. 

InstantDoc ID 95172 
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LONGHORN 
SERVER PKI 

FEATURES 

• New wizards to install and remove 
Certificate Services 

• SCEP—protocol support enabling network devices to 
easily enroll for certificates on a Windows CA 

• OCSP—protocol support for obtaining real-time 
certificate status information 

• PKI uses Server Manager to ease installation, 
configuration, and removal of PKI components 

• CA-specific performance counters 

• New administrative delegation capabilities for 
enrollment agents and certificate managers 

• PKIview administration tool bundled with the OS 

• New cryptographic architecture called CNG 

• Expanded cryptographic cipher support including 
support for Suite B algorithms (e.g., ECDSA, 

SHA-256) 

• Additions to certificate template properties 

• New common smart card CSP 
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Prevent Hiccups 

GOexchange removes errors, warnings and 
inconsistencies within the database before 
major corruption makes the database fail. 

“GOexchange corrected 2,264 errors 
and 26 warnings.” 


nyone who has given birth to an Exchange 
network knows it can get sick and needs 
some nursing to stay healthy. In fact. 72% 
of Exchange Administrators surveyed* have 
"experienced” an Exchange disaster (feels 
like the flu)—usually from improper feeding 
and care. 


I ike many databases, constant adding and 
deleting ean eomipt an Exchange data file 
so it eventually turns sour. Replicating, 
archiving and backing up the data doesn't 
stop the slink—it just stores it. You’ve 
got to... 

Fix the Problem 

You may have tried the free utilities to fix 
Exchange. While they help, they are too 
tedious, time consuming and lightweight to 
keep your Exchange baby healthy. You've 
tried the milk, now try' some meat! 


Paul Ramos, Director IT 

Run, Don't Crawl 

In addilion to fixing the database. 

GOexchange removes sluggishness and 
improves performance by re-indexing and 
defragmenting the database to permanently 
remove white space and deleted items. The 
end result is increased performance and 
stability with a compact efficient database 
that’s 31 to 55% smaller! Combine this 
with archiving and the database is up to 9i% 
smaller—making it much quicker to backup. 
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"Life before GOexchange. ♦ * was 
an absolute nightmare . late nights, 
long weekends and upset users. 99 

Marty Grogan, CTO 

Stop The Crying 


Pamper Yourself with GOexchange 

It’s time to try GOexchange, from Lucid8, 
die #3 best-selling automated disaster 
prevention and optimization software for 
Microsoft Exchange 5.5, 2000, 2003 and 
2007. As the mother of all Exchange tools, 
GOexchange helps prevent disasters, repair 
problems, improves performance, and 
saves you a lot of time. 

“Without routine maintenance\ 
decreasing performance! 
increased warnings and 
errors accumulate and 
database fragmentation 
transpires* leading to 
Exchange disasters, 99 

Gartner 


%i ..onr information stores were reduced 
by 45-50%, ” 

Dale Huitt, Systems Lead 

Automated Babysitter 

First, GOexchange is easy to setup and use. 
Twenty minutes—that's all it takes to gel 
your server up and running. Just schedule it, 
and walk away! 

The software notifies the users, validates 
the database, runs the backup, conducts 
a comprehensive system analysis and 
diagnostics, logs the errors, and notifies you 
if it discovers a “stop 7 ’ error then it repairs 
and deifagmenis the database, generates a 
thorough report and schedules the next event. 

You can do some of this work yourself, but 
why waste time doing repetitive maintenance, 
when GOexchange can do it for you faster 
and more effectively than doing it by hand. 


Why not call now. or visit our resource 
site and learn how to reduce the nsL and 
avoid the pain. Protect your exchange data, 
maximize performance, and spend a weekend 
at home —instead of babysitting Exchange 
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Special Offer 

• Free Software for analysis of your 

Exchange server! 

• Free White Paper—"Sasic Feeding 
of Your Exchange Server." 

• View tire Gartner webcast 
"Protecting Microsoft Exchange., ” 

Go (0: www.Liteir1G.com/GRiIPrn 

Call 425.456.8474 
E-mail: Sales@Luciri8.Qom 
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Make your Exchange environment as efficient as possible 


Paul 

Robichaux 

(troubleshooter@ 
robichaux.net) is a princi¬ 
pal engineer for 3sharp, an 
MCSE, and an Exchange 
MVP. He is the author of 
several books, including 
The Exchange Server 
Cookbook (O’Reilly and 
Associates), and creator of 
the http://www.exchange 
faq.org Web site. 


I f you want to start an argument with a Microsoft 
Exchange Server administrator, try giving unsolic¬ 
ited advice about storage design and configuration. 
Exchange 2000 Server and Exchange Server 2003 offer so 
many storage options that determining an optimal con¬ 
figuration is often difficult. In addition, some common and 
enduring Exchange misconceptions further complicate 
the decision-making process. In this article, I discuss some 
lesser-known Exchange storage design principles that will 
help you clarify what works so you can make the best design 
decisions for your environment. 

Storage Partitioning 



t;u uy 
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Exchange Server 5.5 uses a monolithic database design, 
with a maximum of three databases on each server: a mail¬ 
box database, a public folder database, and a directory data¬ 
base. This design allows some truly scary configurations; 
for example, I once had a customer with an average 
Exchange 5.5 mailbox database size of 140GB. 

Exchange 2000 introduced the concept of mul¬ 
tiple storage groups (SGs), each of which can contain 
multiple databases; Exchange 2003 uses the same 
mechanism. The SG (a logical object that doesn't exist on 
the hard disk) is an instance of the Exchange Information 
Store (IS) that runs within the store.exe process and 


owns the transaction logs for all the mailbox and public 
folder databases in the group. Each database is a separate 
logical object with a pair of physical disk files (the .edb and 
.stm files). Many customers who upgrade from Exchange 
5.5 to Exchange 2000 or Exchange 2003 accept the default 
migration settings. This practice isn't advisable because you 
get Exchange 5.5's huge single database rather than having 
the benefit of multiple databases. 

You can back up or restore only one database at a time 
per SG. If you have multiple SGs, you can backup or restore 
multiple databases simultaneously. Suppose you have a 
140GB database that's divided into four SGs, each with a 
35GB database. Backing up this divided database takes the 
same total amount of time as backing up one 140GB data¬ 
base; however, the individual backups take about a quarter 
of the time. If you back up to tape, you can add a second 
tape drive to back up two databases in parallel and cut 
the backup time in half. But the biggest performance gain 
occurs if you restore multiple databases in parallel. If you've 
backed up multiple SGs, you can restore one database from 
each SG at the same time and significantly reduce the over¬ 
all restore time. 

Another good reason to partition your storage is that 
doing so can help you abide by your service level agree¬ 
ments (SLAs). Suppose you have an SLA that requires you 


48 Windows IT Pro APRIL 20 


Connecting the IT Community 


www.windowsitpro.com 
















EREQUIREDREADING Feature 


to restore executives' access to email within 
an hour of an outage but gives you a five-hour 
window for other employees. If you put the 
executives' and employees' mailboxes into 
separate SGs, you can restore the databases 
independently. Assuming that you have fewer 
executives than employees, you should be able 
to restore the executives' email access accord¬ 
ing to your SLA. 

Microsoft's recommendation with the ini¬ 
tial release of Exchange 2000 was to create 


RAID 

Once upon a time, administrators debated 
whether using RAID with Exchange was a good 
idea. That debate has long since been put to 
rest; administrators know that RAID can add 
a valuable degree of protection to Exchange 
data. Now the debate has turned to the type of 
RAID to use. 

To determine which type of RAID to use, 
you need to remember that each RAID level 
balances performance against recoverability. 


Microsoft’s recommendation is to 
create as many SGs as possible. 


the smallest number of SGs possible because 
each additional SG required a fixed allocation 
of between 100MB and 250MB of RAM—a 
significant amount at the time. Exchange 2000 
Service Pack 3 (SP3) includes RAM allocation 
process modifications that dramatically reduce 
the amount of RAM required for additional 
SGs. Now, Microsoft's recommendation is to 
create as many SGs as possible. To draw on 
my earlier example, Microsoft recommends 
creating four SGs with one database each 
instead of one SG with four databases because 
each Exchange SG has its own set of logs. 
If you have only one database per SG, each 
database essentially has its own set of logs. 
This configuration simplifies and expedites 
disaster recovery because only one database's 
transaction logs must replay when you restore 
the database. 


What's good for one data type can be bad for 
another. Imagine a striped volume with two 
disks. Striping gives you great speed because 
applications can read from and write to all 
physical disks at the same time. But if you lose 
one diskin the stripe set you effectively lose the 
whole volume. This design might be accept¬ 
able in situations in which the performance 
boost would be beneficial but a transient disk 
failure wouldn't be the end of the world (e.g., 
for SMTP queues on a gateway machine). 
However, you'd have to be fairly risk-tolerant 
to put your databases on such a volume. 

Microsoft's general recommendation is to 
use mirroring for data when protection is most 
important (e.g., transaction logs, the system 
volume). When data protection and access 
speed are both important, use either RAID 5 


Use this checklist to create an efficient 
Exchange storage environment. 


□ Create multiple storage groups (SGs) with 
one database each. 

□ Determine the best type of RAID to use for 
your environment. 

□ Put transaction logs and databases on 
separate volumes. 

□ Enable circular logging only when necessary. 

□ Know your SAN vendor’s Exchange 
storage recommendations. 


or RAID 0+1. If you have the budget, RAID 0+1 
is preferable. 


Logs and Databases 

When you install or upgrade Exchange and 
accept the default log and database loca¬ 
tions, all your Exchange data is stored on 
one volume. However, Microsoft has long 
recommended that you put transaction logs 
and databases on separate volumes because 
of the differences in their access patterns. Log 
files are always written to sequentially, and 
they're read (also sequentially) only during 
log playback. Databases are written to and 
read from in essentially random patterns, 
according to users' requests. Thus, putting 
your log files and databases on the same disk 
volume is a bad idea for two reasons: Doing 
so impairs performance and can compromise 
your ability to recover data in the event of 
a disk failure. These risks are present even 
if you're using RAID arrays instead of plain 
physical disks. Consider a case in which you 
have one large RAID 5 array with 10 disks that 
contains transaction logs and databases for 
two SGs. A better configuration from a perfor¬ 
mance and disaster recovery standpoint is to 
use two disks to make a mirrored volume for 
the transaction logs, dedicate seven disks for a 
RAID 5 array for the databases, and keep one 
unallocated disk as a hot spare. Depending 
on the database access patterns, you can also 
create separate RAID 5 volumes (each with its 
own set of physical disks) for the databases. 

Keep in mind that online full backups 
remove the transaction logs. If you see a lot of 
log files after a backup finishes, you need to 
investigate because the backup wasn't success¬ 
ful. Never manually delete transaction log files 
without a good reason for doing so—such as if 
Microsoft Customer Service and Support (CSS) 
advises you to. Even then, you need to ensure 
that you have a current copy of the logs stored 
in a safe location before you delete them. 


Circular Logging 

Circular logging is a poorly understood 
Exchange feature that many admin¬ 
istrators dismiss as _ 

inherently risky—with 


A 


good reason. When 
you enable circular 
logging, Exchange 
the total amount of 
it uses for trans- 
by overwriting 
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transaction logs after a backup finishes. 
Although this method makes sense in 
theory, in practice it means that you 
might not have a complete set of logs for 
a particular database—which means 
that you can't fully recover the database 
in the event of a failure. 

A couple of situations exist in 
which you might want to enable cir¬ 
cular logging for an SG. One case 
is on front-end SMTP servers. The 
Exchange 2003 SMTP service requires 
that you have a mailbox database 
mounted so that it can generate non¬ 
delivery reports (NDRs). Over time, 
that database accumulates transac¬ 
tion logs unless you enable circular 
logging. Another situation that calls for 
circular logging is if you're performing a 
task that generates a high number of trans¬ 
actions. For example, suppose you need 
to move 500 mailboxes from one server to 
another overnight. Doing so will generate a 
volume of transaction logs on the two serv¬ 
ers approximately equal to the volume of 
mail being moved—a substantial amount. 
To solve this problem, perform full backups 
of both servers, then enable circular logging 
on the SG from which you're moving the 
mailboxes. You might also want to enable cir¬ 
cular logging on the target server, although 
leaving it off is the safer option. In most other 
situations, leave circular logging off to avoid 
overwriting transaction data that you might 
need later. 

SANs 

SANs offer some powerful Exchange storage 
benefits. Having a flexible storage system that 
lets you allocate and reallocate space on the 
fly is useful in itself. In addition, being able to 
logically reassign and move volumes between 
hosts lets you take full advantage of clustering, 
point-in-time copies, and other technologies 
that depend on or benefit from SANs. 

However, SANs also introduce some addi¬ 
tional storage variables, most of which are spe¬ 
cific to the SAN vendor. For example, the way 
in which a SAN controller allocates physical 
disks to logical volumes varies among vendors. 
Some vendors suggest that when you create an 
aggregate volume, you put as many disks in it 
as possible; others don't. Some vendors have 
transparent support for reallocating storage 
on hot spots; others don't. You need to know 
and understand your SAN vendor's recom¬ 
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mendations for how to allocate and provision 
Exchange storage. A strategy that works well 
for one SAN vendor's system might not work 
for another's. 

In general, vendor recommendations 
follow the Microsoft recommendations I've 
discussed. The most common discrepan¬ 
cies are regarding the size and type of 
disks to use for a particular configura¬ 
tion, and RAID design and allocation (e.g., 
Network Applicance's—NetApp's—filers 
typically use RAID 4 rather than RAID 5). 
Before you commit Exchange mailboxes 
to a SAN setup, use the Microsoft Jetstress 
tool (jetstress.msi) to evaluate the setup's 
performance. To download this tool, go 
to http://www.microsoft.com/downloads/ 
details.aspx?familyid=94b9810b-670e-433a- 
b5ef-b47054595e9c&displaylang=en. In 
addition, involve your SAN vendor's engi¬ 
neers to ensure that your SAN design and 
layout are appropriate for your Exchange 
requirements. Doing so will help protect you 
against unpleasant and potentially expen¬ 
sive surprises as your storage requirements 
grow. 

Make the Best of Change 

Exchange storage technologies have changed 
significantly in the 10 years since Exchange 
first shipped. Knowing how to make the best 
of those changes will help you effectively 
design and operate an Exchange system that 
offers superior reliability and performance. 
For more information about Exchange stor¬ 
age and design, see the resources listed in the 
Learning Path box. ^ 
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VISTA’S NEW BACKUP AND 

RECOVERY TECHNOLOGIES 


Robust yet easy-to-use data protection features that even your mom can use 


D ata protection is a necessary evil of the com¬ 
puting world. If the fact that most PC data is 
stored on magnetic platters spinning in excess 
of 7,000rpm while read/write heads float about 3 mil¬ 
lionths of an inch above the media surface isn't enough 
motivation for frequent backups, perhaps your user's 
penchant for overwriting the big presentation will serve as 
a reminder of the importance of data protection. Backups 
that you're diligent enough to perform today might save 
your proverbial behind in the not too distant future. 

IT shops have traditionally used NTBackup to back 
up desktop data and system information. First appearing 
in Windows NT 3.1, NTBackup was originally a limited 
version of a commercial backup application from Seagate 
Technology, which became Veritas Software and recently, 
through acquisition, Symantec. Although NTBackup 
might not seem elegant, its beauty lies in its simplicity 
and its price, especially for small-to-midsized businesses 
(SMBs). Many system administrators have used NTBackup 
and its companion Removable Storage Manager (RSM) to 
create effective backup and recovery strategies for both 
workstations and servers. 

So, if NTBackup is such a solid performer and has 
met the backup needs of thousands of IT shops, why is 


Microsoft supplanting it in Vista? The short answer is that 
Microsoft wants users to be able to efficiently back up 
and, if necessary, restore their own systems. To make the 
backup and recovery processes more useful (and forgiv¬ 
ing) to the masses, some of the functionality had to be 
traded for ease of use. So, instead of repackaging the old 
backup technology, Microsoft built Vista's new backup 
capabilities from the ground up and effectively leveraged 
proven technologies to create robust yet easy-to-use data 
protection features that even your mom can use. 

Vista's new backup and recovery capabilities should 
provide for better end-user self-sufficiency, which might 
make administrators and power users feel slightly aban¬ 
doned. However, if you take the time to learn about the 
new tools and how to leverage them, you'll likely embrace 
their simplicity. 



Shadow Copy, all backup 
and restore activities take 
place in the Backup and 
Restore Center, which Fig¬ 
ure 1 shows. Wizards are 
available to step even the 
most novice users through 
the tasks required to per¬ 
form effective backups. 
The processes for defining 
and executing backups 
are, at first glance, overly 
simplistic, but the com¬ 
bination of automation, 
advanced media support, 
and standard file formats 
actually hold a great deal 
of promise for effective 
data protection on i 
user workstations. M 



Ed Roth 

(eroth@windowsitpro 
.com) is a network 


manager for a government 
institution and a 
contributing editor and 
product reviewer for 
Windows IT Pro. 


The Big Picture 

Vista provides two general backup-and-restore methods: 
Basic File Backup and Restore, which protects users' 
data, and Windows Complete Backup and Restore, which 
ensures full system recoverability. Additional data and 
system protection is afforded through the Shadow Copy 
and System Restore functionality. 

With the exception of 


2 ‘ifYou j 

Know? 


Microsoft has released 
a tool for restoring 
NTBackup-created .bkf 
files in Vista. To download 
or get more information 
about the tool, go to http:// 
www.microsoft.com/down 
loads/details.aspx?Family 
ID=7da725e2-8b69-4c65- 
afa3-2a53l 07d54a7&Displ 
ayLang=en. 
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UltraBac Software is celebrating 25 years in business! 


Providing the best data protection software, accompanied 
by unrivaled customer service, has kept us at the 
forefront of the backup and disaster recovery industry. 
UltraBac Software continues to be a leader by offering 
reliable file-by-file and image-based backup products 
with innovative features. Did you know we were the 
first company to release backup and disaster recovery 
software written expressly for the Windows platform? 
And, who was the first to release TSM, FTP, and virtual- 
based disaster recovery? UltraBac Software. 


These are just some the reasons why we can compete 
head-to-head with the large multi-product companies and 
win. Another big reason we come out on top is our focus 
on relationships. Our customers and resellers are not a 
number in a database, but respected clients with individual 
needs. We value your feedback, and believe interaction and 
the user experience are important. If it weren’t for you, we 
wouldn’t be in business. So thank you for helping us reach 
this landmark year! We couldn’t have done it without you. 


Thank you! 
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Basic File Backup and 
Restore 

Basic File Backup and Restore protects user 
data files, such as documents, pictures, and 
email messages. This operation doesn't back 
up program files, OS files, temporary files, and 
profile settings. Nor does it back up the data 
that resides in Encrypting File System (EFS) 
or a FAT file system. Supported media for file 
backups include CD-R, DVD-R, secondary 
hard disks (either internal or external, includ¬ 
ing USB and FireWire), and network drives. 
Tapes are no longer supported as backup 
media. 

To perform a file backup operation, you 
need to open the Backup and Restore Center 
by selecting All Programs on the Start menu, 
then choosing Maintenance. Alternatively, 
you can access the center through the Control 
Panel System and Maintenance applet. In the 
Backup and Restore Center, click the Back 
up flies button. In the list of available backup 
media, choose the appropriate hard disk, CD- 
R, DVD-R, or network target, then click Next. 
You'll be prompted to pick the categories (e.g., 
Documents, Music, Videos) for the files you 
want to back up. Note that unlike NTBackup, 
Basic File Backup and Restore doesn't let you 
pick individual files or directories to back up. 
This is part of Microsoft's efforts to save users 


from themselves. Although it might drive some 
administrators crazy, the default selections 
ensure that users don't inadvertently exclude 
their most important data from the backup 
operation. 

After selecting the file categories, you're 
prompted with scheduling options. The wiz¬ 
ard forces you to create a backup schedule, 
which is another measure designed to user- 
proof the backup operation. By default, the 
backup settings you specify through the wizard 
are saved and used for all scheduled and all 
manually run backups until you say other¬ 
wise. If you want to alter the schedule, backup 
media, or file categories, you need to click the 
Change settings option under the Back up files 
button in the Backup and Restore Center, then 
click the Change backup settings option in the 
Backup Status and Configuration dialog box. 

If you don't want file backups to automati¬ 
cally run, you can turn off this functionality by 
disabling the Automatic backup option at the 
bottom of the Backup Status and Configura¬ 
tion dialog box. However, if you later change 
a backup setting, the automatic backup func¬ 
tionality is re-enabled by default. 

During file backups, Vista uses the Volume 
Shadow Copy Service (VSS) to take a snapshot 
of the files targeted for backup, even if those 
files are open. Vista saves the shadow copy 
versions of the files to the specified 
backup media in a compressed-file 
format (i.e., in .zip files). Whenever 
a file meeting the selection criteria 
is updated, a complete copy of that 
file is saved during the next file 
backup, regardless of whether the 
backup is full or differential. 

Windows Complete 
PC Backup and 
Restore 

Windows Complete PC Backup 
and Restore creates an image- 
based backup of your entire system 
for use in the event of hardware 
failure or other system damage. 
The backup process saves every¬ 
thing on the system drive and 
other selected drives, but you can't 
back up the drive on which the 
backup image files are saved. 

You can save the backup image 
files on local hard disks, DVD- 
R media, and network shares in 
which the share is specified as a 
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VISTA BACKUP 
AND RECOVERY 
CHECKLIST 

H ere are five backup and recovery 
essentials in Windows Vista that you 
should know about: 

ED The Backup and Restore Center, which 
you access through the Control Panel System 
and Maintenance applet, is the central loca¬ 
tion from which the majority of backup and 
restore operations take place. 

ED Basic File Backup and Restore is an 
automated tool for protecting users’ data 
files with minimal user interaction. The file 
backups can be stored on a wide array of 
media. They’re stored in .zip file format. 

ED Windows Complete PC Backup and 
Restore creates an image-based backup 
of an entire system in the event of a failed 
hard disk or other catastrophe. Complete PC 
backups are stored in Microsoft Virtual Hard 
Disk (VHD) format. 

ED Volume Shadow Copy Services (VSS) is 
an automatically enabled component of the 
Vista OS. VSS saves point-in-time copies 
of files that can be restored in the event of 
accidental file deletion or corruption. 

ED System Restore uses VSS to create 
point-in-time copies of system files that can 
be restored to recover your system after a 
botched driver installation or other misbe¬ 
having system element. 

InstantDoc ID 95241 


Universal Naming Convention (UNC) path. 

By leveraging VSS, Windows Complete PC 
Backup and Restore backs up only changed 
blocks during subsequent backups, but only if 
the backup target is a hard drive. If you're back¬ 
ing up to DVD-R media, a complete backup is 
performed. Another media-dependent differ¬ 
ence concerns the compression of the backup 
image files. Image files saved on a hard disk 
aren't compressed, whereas image files saved 
to DVD-R are compressed. 

For Windows Complete PC Backup and 
Restore images, Vista uses the Microsoft Virtual 
Hard Disk (VHD) format, which is the same 
format used for virtual machine hard drives. 

You can mount a VHD backup image in Micro¬ 
soft Virtual Server and Microsoft Virtual PC, 
but you can't boot from a VHD backup image. 
Mounting a VHD image in Virtual Server or 

Windows IT Pro APRIL 2007 53 



www.windowsitpro.com 










































ULTRABAC" 

S O F TWA R E 


To thank you for your support 
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Whether companies are looking 
for a traditional file-by-file back¬ 
up replacement product, or an 
image-based disaster recovery 
(BMR) program, UltraBac 
Software has had the right 
solutions to meet these needs. 
Over the years we have won 
people over with our technological 
innovations and focus on 
customer service. 

If it is important to be able to 
speak immediately with people 
who care, and want to help 
during a backup or disaster 
recovery crisis, then UltraBac 
Software is the company to rely 
on. In turn, we rely on our client 
feedback. By listening to our 
product users and implementing 
suggestions, we have remained 
in business all these years and 
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and resellers, who helped us 
reach this milestone, please 
accept our sincere gratitude. 
Without your continuous 
support we wouldn’t be the 
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Virtual PC will let you restore a select portion 
of a complete PC backup. However, Microsoft 
designed Windows Complete PC Backup and 
Restore for full system recovery, which you 
accomplish with the Windows Recovery Envi¬ 
ronment (WinRE). 

WinRE is an operating environment based 
on Windows Preinstallation Environment 
(Windows PE), which replaced the recovery 
console functionality in Windows XP. You 
can install WinRE on a hard disk partition in 
your system. To learn more about this type of 
installation, see the blog at http://blogs.msdn 
.com/winre/default.aspx. Alternatively, you 
can run WinRE directly from the Windows 
Vista installation DVD. To do so, boot from 
the installation DVD, make the appropriate 
language selections, then choose the Repair 
your computer option. WinRE will guide you 
through the appropriate recovery operation 
you're performing, which in this case, is Win¬ 
dows Complete PC Restore. (There are many 
system repair and recovery functions you can 
perform from WinRE.) With Windows Com¬ 
plete PC Restore, you can use the complete 
PC backup, whether stored on disk or DVD, to 
bring a user's system back to life after a cata¬ 
strophic event. 

You can also use a command-line tool, 
wbadmin.exe, to perform backup and recov¬ 
ery operations. For example, you might use 
the following command to perform a full 
backup of your system's C and D drives to a 
server share: 

wbadmin start backup 

-backuptarget:\\server\share 

include:c:,d: 

where \ \server\share specifies the share's UNC 
path. (Although this command appears on sev¬ 
eral lines here, you would enter it on one line 
in the command-shell window.) You can get 
more information about wbadmin by typing 

wbadmin /? 

in a command-shell window. If you want to 
automate the complete PC backup process, 
you can create a script that uses wbadmin and 
use Vista's Task Scheduler to run that script. 

Shadow Copy 

If you've worked in a Microsoft server environ¬ 
ment, you've probably had a chance to use 
VSS. In Vista, VSS is part of the desktop OS, 


which provides for easy and effective protec¬ 
tion against accidentally deleted or overwritten 
files. VSS is enabled by default and saves point- 
in-time copies of files. You can easily restore 
a file or folder by right-clicking it in Windows 
Explorer and selecting the Restore previous 
versions option. As Figure 2, page 53, shows, 
the Properties page appears. On the Previous 
Versions tab, you'll find a selection of restorable 
versions of the file or folder. You can restore a 
file or folder from not only shadow copies but 
also from file backups. Note that you can open, 
copy, and restore shadow copies, but you can 
only restore backup versions. There isn't much 
you will want or need to do to manage VSS, but 
if you are curious, vssadmin.exe is the com¬ 
mand-line tool for monitoring VSS. Note that 
you need to have administrative rights to run 
vssadmin.exe. 

System Restore 

Between file backups, complete PC backups, 
and shadow copies, Vista has user data pretty 
well protected. However, none of that will 
help users who can't log on to their systems 
because of a bad driver or corrupted OS file. 
System Restore can help users recover from 
such scenarios. Although System Restore has 
been around for a while, Vista has improved it 
by again leveraging VSS to make point-in-time 
incremental copies of the files required to per¬ 
form a System Restore. Vista's System Restore 
tool even includes an undo option in case the 
desired results aren't obtained. 

Restore points are automatically created 
every day and before significant events, such 
as the installation of a new device driver. You 
can also manually create a restore point in the 
System Protection tab of the System Properties 
dialog box. This tab is also where you perform 
a System Restore. 

Simply Powerful 

Although Vista's backup features might lack 
familiarity and some of the granular control 
of NTBackup, Microsoft has gone a long way 
toward achieving its goals of making backup 
and recovery tools more usable to the general 
population. Administrators and power users 
who are willing to learn about and embrace 
the new capabilities for what they are will likely 
discover that just because the features are user- 
friendly doesn't mean they're less effective 
in protecting workstation data and providing 
overall system recoverability. ^ 
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SHAREPOINT 


FEATURE 


icrosoft Windows SharePoint 
Services 2.0 is well known for its 
document-sharing and collabora¬ 
tion capabilities. IT professionals have been 
using it for several years now as both a 
document repository and an area for team 
workspaces. With document libraries, task 
lists, discussion threads, and other features, 
SharePoint Services 2.0 offers users the abil¬ 
ity to access and distribute content quickly. 

One lesser-known feature of 
SharePoint Services 2.0 is the form library, 
which allows for the management of XML- 
based form files. For the IT professional, 
the advantage these form files have over 
other types of files (for example, Microsoft 
Office Word 2003 documents) is obvious: 
Form files are structured and consistent. 
Because the XML standard focuses main¬ 
ly on content, the form library files aren’t 
riddled with varying degrees of formatting 
and thus are easier to process than Word 


documents. Of course, creating these 
form files requires an XML editor such as 
Microsoft Office InfoPath 2003 Service 
Pack 2 (SP2). Fortunately, there’s strong 
integration between SharePoint Services 
2.0 and InfoPath 2003 SP2. 

After I give you a brief overview of 
InfoPath and its form designer, I’ll walk 
you through the various options and pro¬ 
cesses involved in deploying an InfoPath 
form template to a SharePoint site. I’ll also 
review some of the form library modifica¬ 
tions that you’ll need to make after you 
publish the form template. 

About InfoPath 

In a nutshell, InfoPath is an application 
that lets you design and fill out electronic 
forms. The InfoPath form designer uses 
an XML schema, controls bound to sche¬ 
ma elements, data connections, data vali¬ 
dation, and conditional formatting within 
a template. End users 
can enter data in the 
fields as needed. Form 
data is stored as XML, 
which is then either 
submitted to a speci¬ 
fied location such as a 
SharePoint form library 
or saved to the user’s 
local drive. 

When you cre¬ 
ate an InfoPath form, 
you can build it from 
scratch or use one 
of the built-in sample 
templates that help 
you implement sce¬ 
narios such as status 
reporting, issue track¬ 
ing, and purchasing. 
For this article, I’ll 
be using the sample 
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Figure 1 : Sample Status Report template 
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Status Report template to design the 
form, but you can use the techniques here 
to design forms based on any of the other 
sample templates. 

When you look at the sample Status 
Report form, which Figure 1, pag e 55 
shows, you can see some of the controls 
that are available, including 

• a date picker control and text box con¬ 
trols at the top of the form 

• rich text box controls in the Summary and 
Notes sections 

• bulleted list controls in the Last Period, 
This Period, and Issues sections. 

Each control is bound to an element in 
the form’s data source. This data source 
is mapped to an XML schema, which 
identifies the structure of the form file and 
the data types for the individual elements. 
When users enter data in a form, that 
data conforms to the rules specified in the 
associated XML schema. 



Figure 2: Example of a data validation rule 



Data Validation 

You can add rules to controls to validate 
data that users enter. For example, if 
you want to flag a time report entry that 
exceeds 40 hours for time spent, you can 
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Figure 3: Example of a conditional formatting rule 


add a validation rule for the spent element. 
At runtime, if the user enters data that vio¬ 
lates the rule, a red border would appear 
around the text box control with a screen 
tip or message indicating the nature of the 
validation problem. To create this validation 
rule, perform these steps: 

1. In the Time Report repeating table, 
double-click the text box bound to the 
spent element. 

2. In the Text Box Properties dialog box, 
click Data Validation. 

3. In the Data Validation text box, click 
Add. 

4. In the middle box at the top of the 
dialog box, select is greater than from the 
drop-down list, as Figure 2 shows. 

5. In the third box, select Type a number 
from the drop-down list and enter 40 in 
the box. 

6. In the ScreenTip box, type a message 
or screen tip explaining the problem. 

7. Click OK until all dialog boxes have 
been closed. 

Conditional Formatting 

Another option available when you design 
a form is conditional formatting, which you 
can use to enable or disable controls in 
the form view. For example, if you want 
to add logic that disables the Department 
text box when data has already been pro¬ 
vided in the E-mail Address text box, you 


can add a conditional formatting rule to 
the Department text box control. The fol¬ 
lowing example shows how to create this 
conditional formatting rule: 

1. Double-click the text box bound to the 
department element. 

2. In the Text Box Properties dialog box, 
click the Display tab. 

3. Click Conditional Formatting. 

4. In the Conditional Formatting dialog 
box, click Add. 

5. In the first box at the top of the 
Conditional Format screen, select 
emailAddressPrimary from the drop-down 
list, as Figure 3 shows. 

6. In the second field, change the value to 
is not blank. 

7. Select the Read-only check box 

8. Click OK until all dialog boxes have 
been closed. 

SharePoint Data Connection 

When designing form templates that are to 
be used with SharePoint Services, you can 
create data connections that allow users 
to submit form files to a SharePoint form 
library. InfoPath 2003 SP2 has a built-in 
SharePoint submit adapter that enables 
form designers to specify a SharePoint 
form library URL. InfoPath also lets you 
create the library that will host the form 
template. I’ll walk you through the form 
library-creation process, but first let’s look 
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Exchange Server 2007 


ips for Deploying 

Exchange 

Server 2007 


Q What are the hardware requirements for Exchange Server 2007? 

A Microsoft has published the hardware/software requirements for Exchange 
Server 2007 at http://www.microsoft.com/exchange/evaluation/sysreqs/ 
default.mspx. In short, the server must have: 

• X64 processor; either the Intel EM64T or AMB64 platforms 

• At least 2GB of RAM (plus 2-5 MB per mailbox for optimum performance) 

• Light = 2MB/Mailbox 

• Medium = 3.5MB/Mailbox 

• Heavy = 5MB/Mailbox 

• Other factors including the number of Storage Groups, server role, etc 

play a huge part. See this link for more detailed information: http:// 
msexc han geteam.com/ar chi ve/2006/11/27/431644.aspx _ 

• Windows Server 2003 x64 or Windows Server 2003 R2 x64, either 
Standard or Enterprise 

Q What are the upgrade paths to Exchange Server 2007? 

A In-place upgrades are out. You will need to install a new Exchange Server 
2007 machine into an existing Exchange 2000 or 2003 organization and move 
the data. Upgrading from Exchange 5.5 will require a little more work as you 
will need to completely upgrade the organization to Exchange 2000 or 2003 
first. More information on the process can be found here: http://technet 
.microsoft.com/en-us/library/a313c016-0e51 -466e-a3de-953e1 e0d347d.aspx 


QHow should I begin planning for disk space? 

A The factors that affect your storage plans are much more lenient than before, 

but they will still require some thought. 

• Mailbox Size and Count In other words if your target is 1000 mailboxes at 
500MB each then you need to think about 488 GB for the base. 

• Dumpster Size You should calculate the additional drive space you will 
need to hold deleted items until the retention period has expired. This could 
range from 10-40% and even higher depending on the retention period and 
expected mail volume. 

• Content Indexing If you plan to index mailbox items, then you should add 
another 5% to the overall volume requirements in order to hold the index. 

• Growth You should factor in growth in either mailbox numbers or volume. 
20% is a generally acceptable number to use to factor growth. 

• Log Files The amount of storage they consume will be based entirely on the 
frequency of backups and the volume of changes made daily to the database 
files. Many Exchange administrators use 10% as an initial estimation of log 
files. As always, plan to have logs stored on a separate set of disks. 

• IOPS Mailbox IOPS or Database I/O per mailbox, per second is still an 
important calculation but we have far more breathing room than we did with 
previous versions of Exchange. (These numbers are possible if you are 
using Outlook in cached mode.) 

• Light Usage (Receive 20 messages a day) 0.11 expected IOPS per user 

• Average Usage (Receive 40 messages a day) 0.18 expected IOPS per user 

• Heavy Usage (Receive 80 messages a day) 0.32 expected IOPS per user 

• Very Heavy Usage (Receive 120 messages a day) 0.48 expected IOPS 
per user 

continued on back 



























• In our mailbox example above; 1000 Average mailboxes would require 
180 Disk IOPS for adequate performance. A good 7200 RPM drive can 
usually get a true 100 IOPS while the more expensive drives can get 
closer to 150. 

• To meet our capacity and IOPS goals, we would need to look at a disk 
system that could hold at least 860 GB of data and operate at 220 IOPS 
(for growth) Four disks in a RAID 10 configuration would probably fit 
the bill. 

Here is a great place to learn more about the variables and to perform a 
more scientific approach to drive estimation: http://msexchangeteam.com/ 
archive/2007/01/15/432199.aspx 


Q What do I need to know about Server Roles? 

A Well, you can’t install a server without choosing a role so you must first 
understand the roles (and your design) before you can proceed. There are 
five server roles in Exchange Server 2007; Mailbox Server, Client Access, 

Hub Transport, Unified Messaging and Edge Transport. Here are a few key 
notes on each: 

• Mailbox Server The name says it all. These will likely be your largest 
servers 

• Client Access Provides HTTP/HTPPS access to the data; OWA, RPC over 
HTTP and ActiveSync 

• Hub Transport Think of this as your internal Bridgehead server 

• Unified Messaging Communicates with your PBX system. These compo¬ 
nents are usually installed on a separate server. 

• Edge Transport Inbound SMTP traffic goes here. These components must 
reside on a separate server. This is where message hygiene is configured 
and how mail gets into your environment. In single-server environments, the 
Inbound SMTP and message hygiene functionality can be forced on your 
Mailbox/CAS/Hub server. 

• For more detailed information and the Server Role Roadmap, follow this link: 
http://technet.microsoft.com/en-us/library/aa996319.aspx 


Q What role does the AD Site have with Exchange Server 2007? 

A The AD site definitions are important for internal mailbox routing in an Ex¬ 
change Server 2007 environment. Exchange Server no longer uses routing 
groups. Instead, it routes based on the routing topology defined within the Ac¬ 
tive Directory Sites and Services. Here are a couple of important items to note: 

• Ensure there are no IP subnets defined in more than one AD site and that 
there is no overlap 

• At least one Hub Transport server should be installed in each Active 
Directory site 

• A Client Access server must be deployed in each site that contains 
Mailbox servers 


Q Does my Active Directory need to be at a certain functional level before 
install Exchange Server 2007? 

First and foremost the Schema Master for your Active Directory Forest 
be running Windows Server 2003 R2 or Windows Server 2003 SP1. 
Second, you need to make sure the Active Directory domain level functional 
level must be set for Windows Server 2000 (or higher) native mode for all 
domains in the forest. 



Q Do I have to upgrade my Outlook clients before I install Exchange 
Server 2007? 

A Probably not. Outlook 2003, 2003 and Outlook 2007 are all supported. For 
Outlook Web Access, clients need to have a supported browser such as 
Internet Explorer versions 7, 6, 5.5, and 5.01, Mac OS X, Linux, Safari, 
Firefox, Netscape, and Opera. 
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Figure 4: The default concat function 



Figure 5: A modified concat function 


y 


at the process of creating a SharePoint 
data connection for submitting forms. 

At the time you’re creating the 
SharePoint data connection, it’s likely 
that a SharePoint Services site already 
exists. However, it’s also likely that the 
library hosting the form template doesn’t. 
When using the InfoPath Data Connection 
Wizard, you’ll need to record the form 
library URL that you specify, as it will be 
used later when publishing the form tem¬ 
plate. The following steps show how to 
create a SharePoint data connection in 
InfoPath 2003 SP2 for our Status Report 
sample: 

1. Click Tools, Data Connections. 

2. In the Data Connections dialog 
box, click Add, which opens the Data 
Connection Wizard. 

3. On the wizard’s first screen, click 
Submit data and click Next. 

4. Select To a SharePoint form library and 
click Next. 

5. In the SharePoint form library box, 
type the URL for the form library that will 
host the form template. In our example, 
we’ll be creating a Status Report form 
library on our SharePoint Services 
Reports site, so we’ll use this URL: http:// 
server2003ee/sites/reports/status. 

In addition to the form library URL, 
you must specify a naming convention 
for submitted form files. It usually makes 
sense to use form field values in file names 
to help ensure uniqueness in your nam¬ 
ing convention. The concat function lets 
you combine two or more field values for 
specifying file-names. Continuing in the 
Data Connection Wizard, you’ll perform 
the following steps to use the Status 
Report’s Name and Date fields for a file¬ 
naming convention: 


1. Click the function (fx) button, located to 
the right of the File name box. 

2. In the Insert Formula dialog box, click 
Insert Function. 

3. In the Insert Function dialog box, dou¬ 
ble-click the concat function. 

4. In the Insert Formula dialog box, in the 
Formula box, double-click the first prompt 
within the concat function (e.g., double 
click to insert field), as Figure 4 shows. 

5. In the Select a Field or Group dialog 
box, expand the Employee group, then 
the Name group, and double-click single- 
Name. 

6. In the Insert Formula dialog box, in 
the Formula box, double-click the next 
prompt within the concat function. 

7. In the Select a Field or Group dialog 
box, double-click date. 

8. In the Insert Formula dialog box, in the 
Formula box, delete the comma 
after date and delete the third 
prompt within the concat func¬ 
tion, which Figure 5 shows 

9. Click OK. 

10. In the Data Connection 
Wizard, select the Allow over¬ 
write if file exists check box. 

11. Click Next, then click Finish. 

12. In the Data Connections 
dialog box, click Close. 

User Submit Options 

By default, submit options aren’t 
enabled in your form template, 
even when you’ve defined 
a submit data connection. 

However, it’s relatively simple 
to enable submit commands 
on the InfoPath toolbar. You 
can also easily define InfoPath’s 
behavior when submitting forms 


(e.g., closing the form template after a 
submit operation is complete). To enable 
submit options for our Status Report 
example, perform these steps: 

1. Click Tools, Submitting Forms. 

2. In the Submitting Forms dialog box, 
click Enable Submit commands and but¬ 
tons, as Figure 6 shows. 

3. In the Submit to drop-down list, select 
SharePoint form library. 

4. Click Submit Options. 

5. In the Submit Options dialog box, click 
Close the form and click OK. 

6. In the Submitting Forms dialog box, 
click OK. 

Promoting Column Names 

Before you publish the template, you can 
define column names for the SharePoint 
form library to which the template will 



Figure 6: Submit commands enabled 
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Publishing Wizard 



Type a name and description for this form library. 


Name: status 


Description: 


rO 

p 


This form library contains status reports from employees in the Professional 
Services Division. 


[ < Back ][ Next > ] | Cancel 


Figure 8: New form library 


be published. These column names are 
based on elements in the form template, 
and you can change the names as need¬ 
ed. This promotion offers SharePoint users 
read access to some of the data in the 
corresponding form files, without requir¬ 
ing InfoPath 2003 SP2 to be installed. 

The Status Report sample defines five 
column names for its form data. In the fol¬ 
lowing example, we remove two of those 
columns and add one for the submitter’s 
email address: 

1. Click Tools, Form Options. 

2. In the Form Options dialog box, click 
the Form Library Columns tab. 

3. Click Manager Name and click 
Remove. 

4. Click Department and click Remove. 

5. Click Add. 

6. In the Select a Field or Group dialog 
box, expand the employee group and 
click emailAddressPrimary. 

7. In the Column name box, type E-mail 
and click OK. 

8. In the Form Options dialog box, click 
OK. Figure 7 shows an example of the 
promoted columns 



Figure 7: Promoted SharePoint columns 

Deploying the Form Template 

After you identify the SharePoint column 
names, you can now use the InfoPath 
Publishing Wizard to deploy the form tem¬ 
plate. The following steps show how to 
create a new Status Report form library on 
your SharePoint Services Reports site: 

1. Click File, Publish, to open the InfoPath 
Publishing Wizard. 

2. In the first screen, click Next. 

3. Select To a SharePoint form library and 
click Next. 


4. Click Create a new form library (recom¬ 
mended) and click Next. 

5. In the Enter the location of your 
SharePoint site field, type the URL you 
entered when creating the SharePoint data 
connection (e.g., http://server2003ee/ 
sites/reports) and click Next. 

6. Type status in the Name box and type 
a description in the Description box, as 
Figure 8 shows. 

7. Click Next. Click Finish, then click 
Close. 

Modifying the Form Library 

The last order of business is to tidy up 
the newly created form library. Usually, 
this involves simply modifying the general 
settings for that library. By default, the 
display name for the library is the same as 
the name you specified in the Publishing 
Wizard. The following example shows how 
to change the display name of status to 
Status Report: 

1. In Microsoft Internet Explorer (IE), navi¬ 
gate to http://server2003ee/sites/reports/ 
status. 

2. In the left navigation bar, click Modify 
settings and columns. 

3. On the Customize status screen, in the 
General Settings section, click Change 
general settings. 

4. On the Form Library Settings: status 
screen, in the Name and Description sec¬ 
tion, type Status Report in the Name box 
and click OK. 

In addition to changing the form library 
name, you might need to adjust settings 
for displaying columns. By default, all the 
fields that you promoted as SharePoint 
columns during the publishing process 
will appear in the All Forms view of the 
form library, but there are additional built-in 
SharePoint columns that you might prefer 


to suppress in this view. Continuing on the 
Customize Status Report page, perform 
these steps to customize column settings 
in the All Forms view: 

1. On the Customize Status Report page, 
click All Forms. 

2. On the Status Report: Edit View page, 
in the Columns section, clear the Display 
check boxes for the Type (icon linked to 
document), Modified, Modified By, and 
Checked Out To (link to username to user 
details page) columns. 

3. For the E-mail column, change the 
Position from Left value to 7. 

4. Click OK. 

Better Together 

Strong integration exists between 
SharePoint Services 2.0 and InfoPath 2003 
SP2, which gives IT professionals another 
option for easily collecting and sharing 
information in a collaborative environ¬ 
ment. InfoPath stores data as XML-based 
form files. These files have a consistent 
structure, and thereby are more predict¬ 
able than other file types if programmatic 
requirements arise. However, InfoPath 
2003 SP2 provides no browser-form capa¬ 
bilities. Users must have the InfoPath client 
installed on their machines to access the 
rich controls, advanced data validation, 
and conditional formatting of form files. 
Therefore, you might consider upgrading to 
Office InfoPath 2007, which does provide 
browser-form capabilities for InfoPath form 
files. ^ 

InstantDoc ID 94959 


David Gerhardt 

(davidg@3sharp.com) helps develop client solutions using 
Microsoft SharePoint and Office System applications. He 
has more than 12 years of consulting experience and has 
written articles for the MSDN Library and the MSDN Beta 
Experience newsletter. 


SharePointPRo & OfficepRo 59 
































S H A R E P O 


1 N T O Q & A 



SharePointers 

Tips and techniques for using 
SharePoint technologies 

by Bob Mixon 


Q: I want to eliminate duplicate docu- 
merits by creating a link from a docu¬ 
ment in one document library to a 
document that exists in another docu¬ 
ment library. In Windows SharePoint 
Services 2.0 and Microsoft SharePoint 
Portal Server 2003 this is a tedious 
task. I have to create an HTML file 
and use JavaScript code to redirect 
access to the other file. Has this pro¬ 
cess been simplified in the most recent 
SharePoint versions? 

A: I’m glad you asked because the answer 
is a definite yes. One of the new features 
in Windows SharePoint Services 3.0 and 
Microsoft Office SharePoint Server 2007 is 
the ability to extend a document library to 
support multiple content types. (Content 
types are groups of settings that you can 
apply to a category of SharePoint content 
to help you organize content in a more 


meaningful way.) One of the built-in content 
types is Link to a Document. This content 
type lets you store a title and URL for an 
existing document in either that document 
library or a different one. Figure 1 shows 
the New drop-down menu after I added 
the Link to a Document content type to a 
document library. 

When you select Link to a Document, 
you’re presented with the appropriate 
fields to enter the document name and 
location (URL), as Figure 2 shows. After 
you create a link to another document, 
the document name will be displayed in 
your document library and identified with 
the link icon, as Figure 3 shows. You can 
now access the linked document from this 
document library. 

Ql How can I hide SharePoint columns 
from certain users? I have a power user 
who, ideally, should have access to all 
columns and stan¬ 
dard users who need 
only limited column 
access. 

A: Neither Windows 
SharePoint Services 
3.0 nor Microsoft Office 
SharePoint Server 2007 
(or earlier SharePoint 
technologies) support 
the ability to apply per¬ 
missions at the column 
(i.e., field) level. You 
have several options 
for solving this type of 


Microsoft 


need, but if you require the information to 
be truly secure, you’ll have to use custom 
coding or purchase a third-party product. 

One way to address this need is by 
using Microsoft Office Frontpage 2003 
to remove the sensitive fields from the 
existing list pages and create other pages 
for your power users that contain those 
sensitive fields. Then you need to prevent 
your standard users from accessing the 
pages designed for your power users. 

One approach is to use a redirect Web 
Part, such as the one created by Bamboo 
Solutions (http://www.bamboosolutions 
.com). Such a Web Part will redirect 
users to another SharePoint page or site 
if they don’t belong to a specific permis¬ 
sion group. Note that this approach will 
unghost your pages and therefore require 
additional maintenance in the future. (For 
information about page ghosting see 
the Web-exclusive article “What is page 
ghosting in Microsoft SharePoint tech¬ 
nologies?” October 2006, InstantDoc ID 
93796 .) 

A second approach is to create a 
custom list definition. You can create a 
custom list definition to provide most any 
functionality you want, including how the 
list is displayed. If you choose to create a 
custom list definition, I recommend that 
you read the MSDN article “Creating a List 
Definition” (http://msdn.microsoft 
.com/library/en-us/spptsdk/html/tsptCre 
ateListTemplate_SV01016233.asp). You 
might need to augment this list defini¬ 
tion approach with a custom Web Part 
that lets you control what information is 



Figure 1 : Menu showing the Link to a Document content 
type 




Figure 2: Specifying a document and its location 
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Figure 3: Showing the new linked document 


























displayed to users. (For more informa¬ 
tion about custom Web Parts, see “A 
Developer’s Introduction to Web Parts” at 
http://msdn2.microsoft.com/en-gb/library/ 
ms916848.aspx.) 


Q: I’ve been asked to display the cur¬ 
rently logged-on user on the home 
page of our SharePoint Portal. How can 
I do this? 

A: Surprisingly, this functionality wasn’t a 
standard Ul element in Windows SharePoint 
Services 2.0 or Microsoft SharePoint 
Portal Server 2003. Rest assured that 
Microsoft has added it to Windows 
SharePoint Services 3.0 and Microsoft 
Office SharePoint Server 2007, but if you’re 
still running the earlier versions, there are a 
couple of methods you can use to gain this 
functionality. Probably the easiest approach 
is to find a third-party Web Part that will 
display this information. You can download 
one such free Web Part from the Microsoft 
SharePoint Products and Technologies 
Web Component Directory at http://www 
.microsoft.com/sharepoint/downloads/ 
components/detail.asp?a1 =841. _ 

Another approach, which is described 
on the MSDN FrontPoint blog in the post 
“Plowto: Display the Username for the 
Logged on user on a page,” (http://blogs 
.msdn.com/frontpoint/articles/123179 
.aspx), uses the Data View Web Part and 
a few custom Collaborative Application 
Markup Language (CAML) techniques. 
Review the article before you decide on 
the approach you want to take. 

Q: I have 200 trainers at my company, 
dispersed throughout the world. Many 
of these trainers need to be able to 
work offline but still have access to our 
training materials. I’d like to set them 
up with a document library view that’s 
been filtered for the documents they 
need. They can then drag the docu¬ 
ments to a folder on their desktops for 
use offline. How can I do this? 

A: The business problem you describe is 
quite common; unfortunately, SharePoint 
offers no simple solution. However, I have 
good news. Colligo Networks has created 
Colligo Reader for SharePoint, a product 
that does exactly what you’re looking for. 
The better news is, if your disconnected 
users need a read-only view, the Colligo 
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The Group Policy 
Route to Office 
Deployment and 
Management 

Here’s how 
to do it—and how 
the process changes 
in Office 2007 

by Darren Mar-Elia 


Reader is free. You can find out more about 
the product and download it at http:// 
www.colligo.com/products/sharepoint/ 
index.asp. Note that Windows SharePoint 
Services 3.0 gives users the ability to 

perform offline synchronization of content. 
Therefore, in this scenario, the trainers 
could subscribe to the document library 
from Microsoft Office Outlook 2007 and 
have offline cached content that they can 
edit and later upload to the server. ^ 
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M icrosoft Office is a large, compli¬ 
cated set of applications, with lots 
of knobs and switches to configure. 
Fortunately, you can use Group Policy to 
take control of the suite’s deployment and 
configuration. However, using Group Policy 
to manage Office can be challenging, espe¬ 
cially if you’re trying to deploy and manage 
the new Office 2007 system. 

Perhaps you’ve never used Group 
Policy to deploy Office. If so, you’ve come 
to the right place. What follows is a primer 
for deploying the various versions of the 
product. As you’ll see, the process has 
changed significantly—although not for the 
better—for Office 2007. Also, if you need 
to know how to use the Microsoft-pro¬ 
vided Administrative Templates (.adm) files 
to lock down your Office deployments, this 
article might prove extra useful. I’ll wrap 
things up with a look at what third-party 
vendors are doing to help add configura¬ 
tion capabilities for Office through Group 
Policy. 

Options for Deploying Office 

There are several ways you can deploy 
Office to your end users. For example, 
you might decide to “bake” Office right 
into your standard desktop-imaging pro¬ 
cess so that Office is automatically pres¬ 
ent when you set up a new workstation. 
You can also use a software-distribution 
package such as Microsoft Systems 
Management Server (SMS) to deploy it. 

Or, as you might guess, you can use the 
Group Policy Software Installation feature 
to deploy Office. 

Using Group Policy to deploy Office 
has two advantages over the other two 
deployment methods. The first advantage 
is that Group Policy is included “in the 
box,” so you don’t necessarily need to 
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buy and deploy a complicated software- 
distribution product if your needs are 
basic. Another advantage is that deploying 
applications via Group Policy Software 
Installation lets you manage the applica¬ 
tion’s full life cycle—from initial deployment 
to updating to removal. That’s something 
you don’t get by baking Office into an 
image. So, what does it take to deploy 
Office via Group Policy? 

Using Group Policy to 
Deploy Office 

The following deployment method for 
using Group Policy Software Installation 
for Office deployment applies to Office 
2003, Office XP, and Office 2000. As we 
go through this process, keep in mind that 
Microsoft has made some significant—and 
not necessarily positive—changes to 
this process in Office 2007. I’ll discuss 
those changes shortly. But first, I’ll walk 
you through the prototypical Office 2003 
Professional deployment. 

1. The first thing you need to do is 
place the Office installation files on a 
server share where your clients can find 
them. Doing so isn’t just a matter of copy¬ 
ing the CD-ROM files to a server share. To 
perform a proper deployment, you need to 
run an administrative installation of Office. 
Open a command prompt, and change 

to the Office installation CD-ROM folder in 
which setup.exe resides. From the com¬ 
mand prompt, type 

setup /a 

to begin an administrative installation. 

2. In the Install Location box, enter a 
server share and folder where you want 
the Office installation files to reside. You’ll 
also need to enter the product key here. 

I recommend that you use a DFS share 
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to host your application packages. A 
DFS share lets you move the underlying 
package around between servers without 
having to change the path in the Group 
Policy Object (GPO) where the package 
is deployed. This functionality is important 
because the path is hard-coded on each 
client that installs an application through 
Group Policy Software Installation, and 
a change in the package path triggers a 
reinstallation of the deployed application. 

3. After Office is deployed on the 
server, you need to ensure that both the 
share and NTFS permissions on the instal¬ 
lation folder allow all the target computers 
or users to read the application setup files. 
To do so, grant the built-in Authenticated 
Users group the Read permission on the 
share and folders. 

4. Now, you need to deploy the pack¬ 
age in a GPO. First, decide whether you 
want to deploy the package per computer 
or per user. If you choose a per-user 
deployment, you’ll need to determine 
whether you want to publish it or assign 

it. The differences between publishing 
and assigning are simple. By assigning an 
application, you’re telling Group Policy to 
install the application at user-logon time. 

By publishing it, you’re essentially say¬ 
ing that installation is up to the user, who 
must start the Control Panel Add/Remove 
Programs applet and explicitly choose to 
install Office. For most scenarios, assign¬ 
ment is preferable to publishing. 

For the sake of this article, we’ll per¬ 
form a per-computer assignment of Office; 
the software will be installed during the 
next computer reboot and will be avail¬ 
able to all users on a given computer. 
Open Group Policy Editor (GPE) on a 
GPO linked to the computer objects in 
Active Directory (AD) where we want to 
install Office and drill into the Computer 
ConfigurationXSoftware SettingsXSoftware 
Installation node. Right-click the node, and 
choose New, Package. Next, enter the 
path to the Windows Installer setup file for 
Office 2003—in my example, it’s the file 
called prolln.msi. 

Note that when you enter the path, 
you need to type the Universal Naming 
Convention (UNC) path for the .msi file, 
as Figure 1, page_64, shows, rather than 
navigating to the file directly in the file 
system. This requirement is necessary 
because the path is stored in the GPO for 
the package and is referenced by all cli¬ 


ents that process the package. Therefore, 
the path needs to point to a relative loca¬ 
tion—in this case, the DFS share in which 
my packages are stored—rather than 
an absolute path such as D:\packages\ 
Office2K3\pro11 n.msi. 

5. After you choose the path to the 
package, a dialog box prompts you to 
decide whether you want to assign the 
package or select the Advanced options 
to set more properties on the deployment. 

This is a key decision point. Choosing 
Advanced options in Office 2003 and 
earlier lets you use transforms to custom¬ 


ize your Office deployments. A transform 
is a special version of an .msi file—an 
.mst file—that modifies the setup instruc¬ 
tions of the original install package as it’s 
installed and is applied when you deploy 
a package using Group Policy Software 
Installation. After the package is deployed, 
you can’t go back and add the transform, 
so you must add it at initial deployment. 

You create transforms for Office 2003 
by using the Custom Installation Wizard 
in the Microsoft Office 2003 Resource Kit. 

You can create a transform that controls 
which Office applications and options are 
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Figure 1 : Entering the path for the Office setup .msi file 


installed, which folder Office is installed 
in, which default options are set within 
each Office application, and so on. You 
create a transform outside of GPE—using 
the Custom Installation Wizard—so you 
should create the transform ahead of 
time, before you’re ready to deploy your 
Office package. After creating a transform 
file, you copy it to the folder in which your 
Office setup files reside. 

At this point in the package deploy¬ 
ment, if you decide to use a transform, 
you must choose the Advanced option 
instead of Assign to add the transform to 
the deployment package. After choosing 
Advanced, make sure that the package 
is shown as Assigned on the Deployment 
tab (it should be the only option for a per- 
computer deployment), then select the 
Modifications tab, which Figure 2 shows, 
to add the transform file to the pack¬ 
age. Click OK to complete the package 
deployment. 

That’s all there is to performing a per- 
computer deployment of Office 2003. 
After the computer reboots, the Office 
2003 installation will commence and 
Office will be installed when the user goes 
to log on to the computer. Now, let’s look 
at how Office 2007 changes this process. 

Office 2007 Changes 

In Office 2007, Microsoft has changed 
the deployment methods, especially 
with respect to deployment via Group 


Policy Software Installation. Not all of 
these changes are for the better, and I 
would say that if you’re thinking about 
deploying Office 2007 via Group Policy 
Software Installation, you should consid¬ 
er alternative deployment options such 
as SMS. Here’s what has changed: 

• You no longer run an administrative 
setup to get the Office 2007 files to your 
deployment server share; instead, you 
simply copy the contents of the Office 
CD-ROM directly to the server share. 

• Office 2007 no longer supports per¬ 
user deployments via 
Group Policy Software 
Installation—only per-com- 
puter deployments. 

• Office 2007 no longer 
supports transforms for 
customizing Office deploy¬ 
ments. A file called config. 
xml, which ships with the 
Office installation files, sup¬ 
ports a few customizations 
for use with Group Policy 
Software Installation—but 
not nearly as many as you 
could perform with the 
Custom Installation Wizard 
in the earlier versions of 
Office. Office 2007 does 
provide such granular 
capability with the use of 
.msp files and the Office 
Customization Tool, but 


these customizations aren’t available during 
Group Policy Software Installation deploy¬ 
ment of Office 2007. With the config.xml 
file, however, you can customize such 
things as the product key, the deployment 
location of Office on the target computers, 
and the selection of Office applications or 
features that get installed. I give an exam¬ 
ple of what one such config.xml file looks 
like in my blog post at http://blogs.dirteam. 
com/blogs/gpoguy/archive/2007/01/29/ 
what-were-they-thinking-the-office-prod- 
uct-team-strikes-again.aspx. This config. 
xml file should be customized prior to 

deploying Office via Group Policy Software 
Installation, and you’ll need to create a 
different Office installation share for each 
config.xml file you wish to deploy. 

• An Office 2007 installation using Group 
Policy Software Installation isn’t entirely 
unattended. After the initial installation of 
Office, users logging on to their system for 
the first time could be confronted with an 
Office configuration utility, which performs 
a set of post-deployment configurations 
and then logs the user off to complete the 
tasks. 

The bottom line with respect to Office 
2007 deployments via Group Policy 
Software Installation is that the features and 
capabilities available with Office 2003 and 
earlier are no longer supported. However, 
you might still find Group Policy useful in 
customizing office 2007. 



Figure 2: Entering the path for an Office transform 
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Using Group Policy to 
Customize Office 

Following an Office installation, the next 
step is to control its configuration on 
your users’ desktops. Group Policy can 
also help you in that effort. Like many 
other Microsoft applications and system 
components, all recent versions of Office 
come with Administrative Templates that 
can be imported into GPOs to custom¬ 
ize Office configurations. The Office 
Administrative Templates ship for each 
new version of Office. You can obtain 
them from the Microsoft download site 
(http://www.microsoft.com/downloads) . 

These .adm files ship with both per-com- 
puter and per-user settings. However, it’s 
important to note that these settings are 
preferences, not policies; they will tattoo 
the target computer’s registry until you 
explicitly remove them. To add the Office 
2007 .adm files to a GPO, follow these 
simple steps: 

1. Open GPE and navigate to the 
GPO on which you want to set an Office 
Administrative Template policy. Right-click 
the Administrative Templates node under 
either Computer Configuration or User 
Configuration (it doesn’t matter which) 
and choose Add/Remove Templates. 

2. Navigate to the folder in which 
you’ve saved your Office 2007 .adm 
files and select all the files in that folder. 
After they appear in the Add/Remove 
Templates dialog box, as Figure 3 shows, 
select Close to load them into the GPO. 

3. The Administrative Templates 
will now appear in the Administrative 
Template nodes in both Computer 
Configuration and User Configuration. If 
a setting appears as both per-computer 
and per-user, the per-computer setting 
typically takes precedence, unless oth¬ 
erwise stated in the Explain text for the 
policy setting. If you’re using Windows 
Vista to manage Group Policy, the new 
Office templates will appear under the 
Classic Administrative Templates (ADM) 
node rather than in the main tree. To 
view the preferences, you need to tell the 
Microsoft Management Console (MMC) 
snap-in that you want to make them vis¬ 
ible. To do so, choose View, Filtering and 
clear the Only show policy settings that 
can be fully managed check box. The 
Office templates will be visible and ready 
to be set. 


Note that some aspects of the 
Office template settings will differ from 
Administrative Template settings. With 
many Administrative Template settings 
that Microsoft provides, when you enable 
a policy for a particular application (e.g., 
Windows Explorer), the setting that’s con¬ 
trolled by that policy becomes grayed-out 
in the Ul. The end user can’t even access 
the option to change the policy setting. 
However, when you set an Office tem¬ 
plate (e.g., the default file save location 
for Microsoft Excel), it appears that the 
end user can go in and modify that option 
in Excel. But, the change made by the 
end user doesn’t “stick,” and the option 
reverts back to the one that you delivered 
in your GPO. This is just a subtle but 
important usability difference that you’ll 
find in the Office templates. 

Some Configurations Require 
Third Parties 

The Office Administrative Templates let 
you exert much control over your Office 
deployments. However, not all con¬ 
figuration capabilities are supported. For 
example, the most common configuration 
request is to have the ability to pre-cre- 
ate Microsoft Outlook profiles with the 
email server options that you want your 
users to have the first time they launch 
Outlook. Unfortunately, this basic setup 
isn’t supported in any versions of the 
Office Administrative Templates. For that 
reason, you have to rely on third-party 
vendors for help. Several vendors pro¬ 


vide products that extend Group Policy’s 
native capabilities to add advanced 
Office configuration support, including 
DesktopStandard’s PolicyMaker Standard 
Edition (now part of Microsoft), Quest 
Software’s Group Policy Extensions for 
Desktops, and ScriptLogic’s Desktop 
Authority. ScriptLogic’s product lets you 
control Outlook profiles outside of Group 
Policy. Both DesktopStandard’s product 
and Quest’s product are implemented as 
extensions to Group Policy, letting you 
use your existing Group Policy infrastruc¬ 
ture to deploy the Outlook configuration 
I mentioned earlier as well as other con¬ 
figuration scenarios not supported by the 
Office Administrative Templates. 

With Group Policy Software Installation 
for Office deployment and Office 
Administrative Templates to lock down 
the behavior of various Office applications 
for your users, you can ease the burden 
of managing what has historically been 
a large and complicated software suite. 
And, if you throw third-party products into 
the mix, there’s almost nothing you can’t 
do to manage your Office users. ^ 
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Figure 3: Loading the Office 2007 .adm files into a GPO 
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Tricks & Traps - Ask the Experts 


Q: What ; s DNS scavenging, and 
why would I need it? 

A: With Windows 2000 and the 
introduction of dynamic DNS 
(DDNS), whereby computers 
register their own hostname to IP 
address records (or the DHCP server 
registers on the client's behalf), the 
DNS zones can quickly become pol¬ 
luted with out-of-date records. To 
resolve this problem, you can con¬ 
figure how long records should stay 
in the zone before being removed or 
scavenged. To enable scavenging for 
a DNS zone, perform these steps: 

1. Right-click a zone in the Microsoft 
Management Console (MMC) 

DNS Management snap-in and 
select Properties. 

2. Click the Aging button. 

3. Select the Scavenge stale resource 
records check box, as Figure 1 
shows. You'll see two options: 

no-refresh interval and refresh 
interval. The no-refresh interval 
stops unnecessary updates on 
an existing record, thus reduc¬ 
ing replication traffic. The default 
is seven days, so any attempt to 
reregister the record within seven 
days will be ignored. The refresh 
interval is the time between when 
the no-refresh interval expires and 
the record is considered stale. If 
you leave the default of seven days, 
the client would need to reregister 
within 14 days (but after seven 
days). 

4. Leave the default settings and click 
OK. 

The values for the refresh and no- 
refresh settings should be based on 
the DHCP lease time. The default 
lease time is eight days, which works 
well with seven-day no-refresh and 
refresh intervals. If you reduce the 


lease times, you should also reduce 
the refresh and no-refresh intervals 
to ensure that stale records aren't 
left in the DNS zones for too long. 
Also, the sum of the no-refresh and 
refresh values must be greater than 
the DHCP lease time; otherwise, 
records could be scavenged before 
the DHCP lease has expired. 

The actual DNS scavenging by 
default occurs once a week. If your 
refresh intervals are much smaller 
than a week, you should configure 
the scavenging to occur more often. 
To do so, use the dnscmd command 
line tool, as follows: 

dnscmd /config /scavenginginterval 
<hours> 

This command updates the 
HI<EY_LOCAL_MACHINE\SYS- 
TEM\ControlSet001\Services\DNS\ 
Parameters\scavenginginterval reg¬ 
istry subkey. 
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—John Savill 

Q: How can I migrate applications 
during an OS upgrade to Windows 
Vista? 

A: When you upgrade an OS, you 
need to be sure to maintain the 
many settings and data sources, 
such as user configuration, user 
data, machine settings, and applica¬ 
tion components (e.g., program exe¬ 
cutables and DLLs). In a pre-Vista 
upgrade, maintaining this informa¬ 
tion wasn't a problem; the new OS 
files were overlaid on the previous 
OS files with registry configuration, 
dll registration, and other data left 
intact. However, Vista introduces a 
new deployment process in which 
the hard disk is wiped (except for 
select areas) and a clean installation 
is performed. 

Tools such as 
the File and Set¬ 
tings Transfer 
Wizard (called 
Easy Transfer 
Wizard in Vista) 
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and the User State Migration Tool 
(USMT) can help you migrate 
machine and user information, but 
these tools won't migrate applica¬ 
tions. This application migration 
is vital for an upgrade of Vista and 
is implemented as part of the Vista 
setup process by essentially looking 
at the down-level OS (e.g., Windows 
XP) and separating the Windows 
components from non-Windows 
components. The non-Windows 
components are copied to a safe 
area on the disk. The setup process 
then cleans the disk, lays down the 
Vista image, then puts back the non- 
Windows components. To the user, 
it appears as though an upgrade has 
been performed because his or her 
settings, data, and applications are 
all present. 

So how do you migrate applica¬ 
tions outside of Vista setup? First, 
be aware that just because applica¬ 
tion migration is possible doesn't 
mean it's desirable. In general, in 
enterprise environments, a fresh 
installation of Vista and subsequent 
deployment of applications via 
Group Policy or Microsoft Systems 
Management Server (SMS) is prefer¬ 
able to avoid carrying over old gar¬ 
bage from the previous OS. 
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The engine used by the Vista 
upgrade process shares much of its 
code with the Windows Easy Trans¬ 
fer Wizard, which is a core part of 
Vista. However, the wizard doesn't 
migrate applications. Microsoft will 
soon release the Windows Easy 
Transfer Companion, which will 
help you migrate applications and 
will be available to all Windows 
Genuine Advantage users. There¬ 
fore one solution is to wait for the 


Windows Easy Transfer Companion 
to migrate applications. 

Another solution is to use the 
Vista setup engine, which means 
deploying Vista via Business Desk¬ 
top Deployment (BDD) 2007 or any 
other method that calls the Vista 
setup routine. You can also use 
third-party migration tools such 
as Laplink Software's PCmover to 
migrate applications. Although 
migrating applications is pos¬ 


sible, be aware that compatibility 
problems are common. At least the 
Vista upgrade process will first run 
a compatibility check to identify 
problem applications and drivers 
and force a removal prior to migra¬ 
tion. That's usually a safer solution 
than simply migrating applications 
and risking breaking the newly 
deployed OS. ^ 

InstantDoc ID 95230 
—John Savill 


PsExec, User Account Control, and Security Boundaries 


This is a summary of a popular posting to Mark Russinovich's technical blog (https://blogs.technet.com/markrussinovich/about 
.aspx), which covers topics such as Windows troubleshooting , technologies, and security. You can read the entire post a t https:// 
blogs.technet.com/markrussinovich/archive/2007/Q2/12/638372.aspx. 


I introduced the -I switch to the PsExec tool about a year and a half ago as an easy way to execute processes with 
standard-user rights from an administrative account on Windows XP. PsExec uses the CreateRestrictedToken API to 
create a security context that’s a version of the one your account is using, but without membership in the local Admin¬ 
istrators group or any administrative privileges. A process running in that security context has only the privileges and 
accesses of a standard user account. 

There’s one catch to the virtual sandbox that the restricted token creates: Processes running in the sandbox are 
running as you, and thus can read and write any files, registry keys, and processes to which your account has access. 
That caveat creates gaps in the sandbox walls, and malicious code could take advantage of these gaps to escape and 
become a full Administrator. So why do I still recommend using the PsExec feature to run processes with limited rights 
on XP when you use an administrator account instead of a standard user account? Because this type of sandbox hasn’t 
been widely used, malware authors haven’t bothered to write the code necessary to escape the sandbox walls. 

However, Windows Vista changes that situation because it uses an enhanced form of this sandbox in User Account 
Control (UAC) and Internet Explorer (IE) Protected Mode. With UAC, all users, including administrators, run with standard user rights. For executa¬ 
bles that require administrative rights, UAC asks the user’s permission for it to run with administrative rights. 

This act of giving an executable administrative rights is called elevation in UAC. When you elevate, you create processes that have administra¬ 
tive rights on the same desktop as those that have standard user rights. Processes elevated from a standard user account run in a different account 
from those with standard user rights, so the Windows security model defines a wall around the elevated process that prevents the non-elevated 
processes from writing code into those that are elevated. However, it doesn’t prevent non-elevated processes from sending fake input into elevated 
processes, nor does it create a sandbox around the non-elevated processes of administrative users to stop the processes from compromising the 
administrator’s elevated processes. Vista therefore introduced Windows Integrity Controls, which supply additional fencing for the sandbox. 

In Vista’s integrity model, every process runs at an integrity level (IL) and every securable object has an IL. The primary integrity levels are low, 
medium (the default), high (for elevated processes) and system. The integrity mechanism prevents lower-IL processes from sending all but a few 
informational window messages to the windows owned by processes of a higher IL. It also only allows a process to open an object for write access if 
the process IL is equal to or higher than that of the object. And processes can’t open processes of a higher IL for read access. 

The new version of PsExec takes advantage of the enhanced Vista sandbox when you specify the -I switch, running the executable you specify 
with a standard user token at low IL. The sandbox PsExec creates is almost identical to the one surrounding IE Protected Mode, and you can feel 
your way around the walls by launching a command prompt or regedit at low IL and seeing what you can modify. 

With the exception of processes and threads, the wall doesn’t block reads. That means that your low-IL command prompt or IE Protected Mode 
can read objects that your account can, including a user’s documents and registry keys. Even the ability of a process at low IL to manipulate objects 
of a higher IL isn’t necessarily prevented. You can read more details of these types of sandbox breaches in my blog at https://blogs.technet.com/ 
markrussinovich/archive/2007/02/l2/638372.aspx. 

So if your elevated processes are susceptible to compromise by those running at a lower IL, why did Vista go to the trouble of introducing eleva¬ 
tions and ILs? Microsoft wants to lead us to a world in which everyone runs as standard user by default, and all software is written with that assump¬ 
tion. Without the convenience of elevations, most of us would continue to run with administrative rights all the time. v 

InstantDoc I D 95231 

—Mark Russinovich 
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Reader to Reader 




Safeguard the Data 
on USB Storage 
Devices Without 
Spending a Dime 

With their high capacity and low cost, 
USB storage devices have become 
popular for backing up and storing 
data. However, with the convenience 
comes a risk: What happens if you 
lose a USB storage device that has 
confidential business data or per¬ 
sonal data? Losing confidential busi¬ 
ness data can damage a company's 
reputation and put employees and 
customers at risk. With the rise in 
identity theft, losing personal data 
can be equally damaging. 

You don't need to stop using USB 
storage devices because of this risk. 
Instead, you just need to safeguard 
the data you store on them. Although 
you can purchase USB storage 
devices that feature fingerprint recog¬ 
nition technology, encryption capa¬ 
bilities, and password protection, 
you can use free software solutions to 
protect the data on existing USB stor¬ 
age devices. My favorite is TrueCrypt, 


volume. 

I used TrueCrypt to create a pass- 
word-protected standard volume on 
my USB storage device and a backup 
copy of the encrypted volume on my 
PC. With this setup, my data is secure 
and backed up in case my USB 
storage device is ever lost or stolen. 
Here's how you can do the same: 

1. Attach your USB storage device 
to your PC. 

2. Download and install the 
TrueCrypt software on your PC. 

3. Launch TrueCrypt. In the 
TrueCrypt UI, click the Create Vol¬ 
ume button to launch the TrueCrypt 
Volume Creation Wizard. 

4. In the opening page, select the 
Create a standard TrueCrypt volume 
option and click Next. 

5. In the Volume Location page, 
click Select File. In the Specify Path 
and File Name dialog box, specify the 
path to the volume you want to cre¬ 
ate on the USB storage device (e.g., 
E:\PersonalData\) and the name 
you'd like to give the volume (e.g., 
Confidential). Click Open, then Next. 


Using USB storage 
devices to store confidential 
or personal data might be risky. 
However, there are ways to 
mitigate that risk. 


which you can use with Windows 
Server 2003, Windows XP, Windows 
2000, and Linux. 

TrueCrypt (http://www.truecrypt 
.org) is a free open-source tool that 
uses encrypted volumes to protect 
data on USB storage devices and PCs. 
(You can also use it to encrypt physi¬ 
cal partitions or devices.) Data on 
encrypted volumes can't be accessed 
without the correct password or 
password and keyfile combination. 
You can create a standard volume or 
a hidden volume. A hidden volume 
is a volume hidden inside a standard 


5. In the Encryption Options 
page, you can select the encryption 
and hash algorithms you want to use. 
Unless you have specific algorithms 
in mind, leave the defaults and click 
Next. 

6. In the Volume Size page, spec¬ 
ify the maximum size of the volume, 
then click Next. How much space you 
want to allocate to the volume is up 
to you. For example, my USB storage 
device is 1GB, so I allocated 500MB 
to the volume. 

7. In the Volume Password page, 
enter the password you want to use. 


The stronger the password, the more 
difficult it will be to guess or crack. 
TrueCrypt recommends that you use 
a password that's at least 20 charac¬ 
ters long and has a combination of 
uppercase letters, lowercase letters, 
numbers, and special characters. 
Reenter the password to confirm it, 
and click Next. 

8. In the Volume Format page, 
select the appropriate file system 
(in my case, I chose NTFS), then 
randomly move the mouse within 
the Volume Creation Wizard window 
for 30 seconds or longer. According 
to TrueCrypt, moving the mouse 

is important for the quality of the 
encryption key. Click Format. 

9. After the formatting finishes 
you'll receive a message box stating 
the volume was successfully created. 
Click OK, then click Exit to close the 
Volume Creation Wizard. 

Note that steps 1 through 9 are 
required only when you're creating 
the volume for the first time. After it's 
created, you only need to follow steps 
10 through 13 to use it. 

10. In the TrueCrypt UI, select 
the drive letter to which you want to 
mount the volume, then click Select 
File. In the Select a TrueCrypt Vol¬ 
ume dialog box, select the volume 
you just created and click Open. In 
the TrueCrypt UI, click Mount. You'll 
be prompted for a password. Enter 
the password you specified in Step 7, 
and click OK. 

11. Now that your volume has 
allocated space and a drive letter 
assigned to it, you can move all your 
confidential data to this virtual drive. 
You move files to this virtual drive the 
same way you move files to any other 
drive. For example, you can use Win¬ 
dows Explorer to move files to the 
virtual drive. The data is encrypted 
on the fly as it's being written. 

12. After all the data is on the vir¬ 
tual drive, you need to dismount the 
volume. In the TrueCrypt UI, click the 
Dismount button. Click Exit to close 
the TrueCrypt application. 

13. Copy the TrueCrypt program 
folder from your PC to the USB stor- 
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Know? 


If you want to know how 
to set up a single sign-on 
environment, check out the 
On-Demand TechNet Web¬ 
cast "Single Sign-On" at 
http://www.windowsitpro 
.com/events 


age device. That way, you can view 
the encrypted volume on the USB 
storage device no matter what PC 
you're using. (To view data on the 
encrypted volume, you need the 
TrueCrypt software.) 

14. Keep a copy of the encrypted 
volume on your PC to serve as a 
backup. 

With this setup, your confidential 
data is encrypted and backed up, giv¬ 
ing you peace of mind. And it didn't 


You can use two simple com¬ 
mands to quickly match TCP connec¬ 
tions with processes. First, you use 
the following Netstat command: 

netstat -aenos -p tcp 

In the output, you need to locate the 
Active Connections section. As Figure 
1 shows, this section includes the 
Foreign Address, State, and PID col¬ 
umns. The Foreign Address column 
contains the TCP/IP address and port 
(which appears after the colon) of the 


Proto Local Address Foreign Address State PID 

TCP 192.111.10.12:1386 66.77.76.81:80 ESTABLISHED 3532 


Figure 1: Sample Active Connections section from the Netstat command 


cost you anything other than a littie 
bit of your time. 

—Asif Bhatti 

InstantDoc I D 95235 

2 Simple 

Commands Let You 
Match TCP 
Connections With 
Processes 

In many situations, it's helpful to 
identify which TCP connections are 
associated with which processes on 
a computer. With this information, 
you can determine whether a TCP 
connection is valid or unauthorized, 
determine whether a connection 
that's been active for a long time 
should be disconnected, or trouble¬ 
shoot other types of problems. 


remote computer to which the local 
computer is connected. The State 
column specifies the connection's 
state when the Netstat command 
executed. The PID column shows the 
process identifier (PID) associated 
with the TCP connection. 

The PID is the information you're 
after, but few people can identify a 
process by its PID. To get the name of 
the process, you can run the follow¬ 
ing Tasklist command: 

tasklist /v /fo List /fi “pid eq xxx" 

where xxx is the PID. As Figure 
2 shows, the output includes the 
process's image name (e.g., iexplore. 
exe) and display name (e.g., Microsoft 
Internet Explorer). 

—Fritz Shad 

InstantDoc ID 95237 



Script Makes 
Searching for GPO 
Settings a Snap 

I often don't know in which 
Group Policy Object (GPO) a 
setting resides. Fortunately, I 
discovered a script—GetRe- 
portsForAUGPOs.wsf—that 
helps me quickly obtain this 
information. GetReports- 
ForAllGPOs.wsf is one of the 
sample scripts that ships with 


Group Policy Management Console 
(GPMC). For each GPO in Active 
Directory (AD), GetReportsForAll- 
GPOs.wsf generates an HTML file 
and an XML file that contains con¬ 
figuration and other types of informa¬ 
tion about the GPO. (You can also 
use this script to generate HTML and 
XML files for a specific GPO or for all 
the GPOs in a specific domain.) 

You can find GetReportsForAll- 
GPOs.wsf in the %programfiles%\ 
GPMC\Scripts directory. To use this 
script to search for settings, follow 
these steps: 

1. Create a folder that will be used 
to store the HTML and XML files for 
the GPOs. For example, I created a 
folder named Exported GPO on the 
C drive. 

2. Run the script GetReports- 
ForAllGPOs.wsf from the %pro- 
gramfiles%\GPMC\Scripts folder, 
following the syntax 

CScript GetReportsForAllGPOs.wsf 
GpoFiles 

where GpoFiles is the pathname 
to the folder you created in Step 1 
(e.g., C:\Exported GPO). Note that 
although this command appears on 
several lines here, you would enter 
it on one line in the command-shell 
window. 

3. After the script runs, delete all 
XML files in the folder you created. 

4. To search all HTML files for 
the parameter you want, right-click 
the folder you created and select 
Search. In the A word or phrase in 
the file text box, enter an appropri¬ 
ate search term. For example, if you 
need to find Windows Server Update 
Services (WSUS) parameters, you 
can enter the name of your WSUS 
server. (You can't enter WSUS as the 
search term because the word WSUS 
doesn't exist in the GPOs. The GPO 
setting to configure WSUS is Specify 
intranet Microsoft update service 
location.) Click Search to get a list 

of all the GPOs containing what you 
searched for. ^ 

—Peter Ekstorp 
InstantDoc ID 95236 
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The Business End 




Successfully Managing Change 

Good people managers follow 5 principles and avoid 3 common mistakes 


G iven how frequently change occurs in the 
workplace, it's always surprised me how much 
managers struggle with managing change. In 
The Prince , Niccolo Machiavelli wrote, "There is nothing 
more difficult to take in hand, more perilous to conduct, 
or more uncertain in its success, than to take the lead in 
the introduction of a new order of things.” And indeed, 
the risks are great: Failure to manage change well can 
damage employee morale, create an atmosphere of mis¬ 
trust, cause good employees to leave their jobs, and most 
importantly, disrupt business continuity. To manage 
change successfully, you need to avoid three common 
mistakes and observe a handful of change-management 
principles and strategies. 


3 Common Mistakes 

Managers who are unsure of their ability to manage change 
can easily end up alienating employees. In my experience, 
the three most common mistakes managers make when 
trying to manage change are making it a surprise, not doing 
enough to resolve uncertainty, and being insensitive to 
employees' feelings. 

Making change a surprise. A colleague of mine once 
compared a reorganization in her division to a baby watch¬ 
ing a jack-in-the-box: "Here you are sitting on the floor, 
looking at a colorful box, listening to soothing music, and 
then out of nowhere a scary clown-like puppet springs out 
of the box and the music stops." A sudden announcement 
of change can be jarring—particularly if employees don't 
perceive the need for the change. 

When you spring change on employees, they feel 
ambushed and left out of important business or techni¬ 
cal decisions. Why do managers surprise employees with 
change? Many do so in the belief that they're doing the 
right thing by not disrupting the rhythm of business or dis¬ 
tracting employees. Although such managers mean well, 
this argument for sudden change is patronizing and rarely 
holds water. Save surprises for birthdays, when they're 
more likely to be appreciated. 

Letting uncertainty over change linger. Allowing 
uncertainty over change to persist is just as bad as mak¬ 


ing change a surprise. Long periods of uncertainty often 
occur when a big change is only partially implemented, 
and during that period of unpredictability rumors spread 
unchecked. Uncertain employees become conservative 
because they don't want to take risks that might jeopardize 
their position after the change takes place. For example, 
employees might hesitate to take on long-term projects, 
fearing that the work they complete now will become 
irrelevant or unimportant. 

Many managers fall into the trap of letting uncertainty 
over change linger because, although they recognize that 
making change a surprise is undesirable, they underesti¬ 
mate how long it will take to implement the change. The 
biggest consequence of lingering uncertainty over change is 
that top performers might find new 
jobs in which they can be success¬ 
ful immediately. 

Being insensitive to employees' 
feelings. As a manager, you need 
to be careful about how you dis¬ 
cuss the change, even if employ¬ 
ees understand it and consider it 
to be good for the business. You 
need to be especially perceptive when a decision is made 
to discontinue a group's or individual's work. Simply 
announcing that the group or person will be reassigned 
to different projects or priorities will lead to the quality 
of those employees' work being questioned and could 
demoralize those employees if they perceive the change 
as a reflection of the value of their work. 

Frequently, managers—particularly those who don't 
work directly with the affected employees—don't under¬ 
stand how personal an employee's work can be, especially 
if the employee has been working on a project for a long 
time. During times of change, recognize your employees' 
hard work and dedication, even if your business is mov¬ 
ing away from the project they've been working on. It's 
also important to make your employees feel valued in the 
reorganized business. 

5 Principles for Successfully 
Managing Change 

You can successfully manage change by communicating 
clearly and being sensitive to employees' feelings. Let the 
following five principles guide you: 

• Be transparent. Whether the change is driven by bad 
news (e.g., poor sales) or good news (e.g., growth), be 
open and honest about why the change is taking place. 


Failure to manage change well can 
damage employee morale, create an 
atmosphere of mistrust, cause good 
employees to leave their jobs, and 
disrupt business continuity. 



Ben Smith 
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When you spring change on employees, 
they feel ambushed and left out of 
important decisions. 


Explain the reason for the change, the 
timeline for implementing it, and who the 
decision makers will be during the change 
process. 

• Initially announce the change to front-line 
managers and influential individual con¬ 
tributors. Ask those people to announce the 
change to their teams and to find out how 
their employees feel about it. Then, respond 
to everyone's thoughts and concerns in a 
larger meeting. 

• Drive for certainty. After the initial 
announcement about the change has been 
made, eliminate as much uncertainty as 
you can, even if it means implementing the 
change in some areas of your department 
before others. For example, if you know that 
some part of the larger organization will not 


be affected by the change, let that group of 
employees know as soon as possible. 

• Be sensitive to your employees' feelings. 
Some of your employees will react viscerally 
regardless of the type of change. Be honest, 
and explain why the future will be better 
than today even though difficult short-term 
trade-offs might accompany the change. If 
there will be a long period of time between 
the announcement of the change and its 
completion, update your employees regu¬ 
larly about the status of the change and the 
factors that are delaying its implementation. 

• Celebrate the change. One of the best les¬ 
sons I've learned about managing change 
came from a Microsoft vice president 
who always makes the formal (and final) 
announcement of the completion of a 


change into a celebration of the new begin¬ 
ning that the change is bringing. And he 
doesn't make the announcement of change 
just a symbolic celebration—he makes it a 
real party. 

The Measure of Success 

A successful implementation of change is one 
that minimally disrupts the rhythm of your 
business, doesn't overly damage employee 
morale, and doesn't result in losing key 
employees in the process. Ultimately, the 
measure of successful change management 
is the time it takes to get everyone in your 
organization positioned and intellectually on 
board with the new mission. Because it's likely 
that you'll be managing many changes over the 
course of your career, develop the skills you'll 
need now so that you'll be prepared to manage 
the changes that will inevitably take place in 
the future. ^ 

InstantDoc ID 95129 
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in helping us monitor, archive and report our 
event logs for compliance. We also love the daily 
alerts and performance monitoring features." 


Mihai has been working with computers for almost 20 years, 
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auditors on a regular basis. Security, documentation, and 
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monitor his server environment. 
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Windows Power Tools 




The Rise of Whoami 

Vista gives this terrific tool a shot in the arm 


T here's this restaurant I go to fairly regularly. It's a nice 
place, but one of the specials has been the same for 
seven years. Fve taken to interrupting the waiter 
when he starts listing the specials of the day, finishing the 
description of that dish for him. If he hasn't hit me over the 
head with a pepper grinder, I take a moment to exclaim, "That 
dish has been on the menu since you were in junior high!" 

Some Windows programs remind me of that seven-year- 
old special: They're old and trusty friends that seem mysteri¬ 
ously and forever relegated to Support Tools or the resource 
kit, despite the fact that administrators use them more than 
they use many in-the-box tools. But that scenario has changed 
in Windows Vista. Helpful tools such as Robocopy, SC, and 
Whoami are now officially supported, in-the-box tools. 

I discussed Whoami briefly in "Identity Report" (March 
2003, InstantDoc I D 37941) , but Vista's User Account Con¬ 
trol (UAC) and Windows Integrity Control (WIC) compo¬ 
nents make Whoami even more useful. Now is the time to 
revisit this great tool. 


How It Works 

To see Whoami in action, log on to a Vista machine as an 
administrator, open a command prompt, and type 

whoami /all 

That command—as it has always done—displays your 
username, your SID, the groups you belong to (including 
their SIDs), and your account's user privileges. However, 
logging on to a Vista machine as an administrator causes 
Vista's UAC feature to generate not one logon token but 
two: an administrative token (AT) that contains all your 
administrative group memberships and privileges, as 
well as a standard user token (SUT) that UAC strips of any 
administrative powers. 

Whenever you run a program, Vista uses a set of criteria 
to decide whether to attach your high-power AT or your low- 
power SUT to that program. If Vista doesn't annoy you with 
one of its Continue/Cancel dialog boxes, Vista has probably 
assigned the SUT to your program. And, inasmuch as Vista 
doesn't display the Continue/Cancel dialog box at this point, 
the command prompt has the SUT. For verification, notice 
that Administrators isn't among your group memberships— 
save for a somewhat snitty comment thatyour Administrators 
membership is a Group used for deny only. 

If you open another command prompt—but this time, 
first right-click the Command Prompt icon and choose Run as 
administrator— and run the same Whoami command again, 
you'll see that you have all your group memberships, along 


with many more privileges than you have in the impoverished 
SUT-attached command prompt. By the way, if you're get¬ 
ting cross-eyed from looking at all those long lines of output 
that break on a standard command-prompt window, try the 
easier-to-read version that results from this command: 

whoami /all /fo List 

You can also follow the /fo option with table (which gives 
you the ugly line-breaking output that you saw before) or 
csv (which produces ready-to-import comma-separated 
variable—CSV—output). Want a little less information? 
Try replacing /all with /user to get just your username and 
SID, /groups to see only your group memberships, or /priv 
to display just your user privileges. 


WIC in Action 

While you have two command prompts open—one 
equipped with an AT (the word administrator will be in the 
window title) and the other with an SUT—type 

whoami /groups /fo List 

to dump your group membership, and note that your 
administrative command prompt is a member of an odd¬ 
looking group. Whoami reports an unknown SID type of 
S-1-16-12288 and a group name of Mandatory Label\High 
Mandatory Level. Here's where Whoami reveals the traces 
of Vista's WIC (formerly Mandatory Integrity Control—MIC) 
mechanism in action. 

Vista categorizes user accounts, processes, and objects 
(e.g., files, folders) with several levels of what you might call 
trustworthiness but what Vista called integrity. These levels 
include untrusted, low, medium, high, system, and trusted 
installer. This topic is too big for this column, so suffice it to 
say, any process trying to modify an object that has a higher 
integrity will fail, even if that process's token contains a Full 
Control permission to that object. By default, Vista labels 
standard users as medium integrity and administrators as high 
integrity. The aforementioned High Mandatory Level indicates 
that the token on your administrative command prompt has 
a high integrity level. A Whoami /groups /fo list on the other 
command prompt will reveal a medium integrity level. 


A New Sense of Pride 

Whoami hasn't necessarily acquired any new options in 
Vista, but it has gained a bit of legitimacy. Even better, it's 
got some new capabilities. Check it out! ^ 
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Top 10 


New Program Locations in Vista 

Here’s where to find familiar programs in the latest OS 


A n unavoidable side effect of upgrading to a new 
version of Windows is having to search for all the 
important programs, tools, and entertainment 
applications that have moved. So of course, in Windows 
Vista, many of your favorite programs aren't where you've 
come to expect them to be. Here are 10 of the most impor¬ 
tant and interesting programs you're likely to look for and 
where you can—and occasionally can't—find them in Vista. 
You might want to have this article handy the first time you 
boot the new OS. 


you can find the Network Connections dialog box under 
Start, Control Panel, Network and Internet, View Network 
Status and Tasks, Manage Network Connections. 

4 Remote Desktop Connection—One of the tools 
that I most frequently use to manage my servers, 
Remote Desktop Connection, has been moved 
from its XP location at Start, Programs, Acces¬ 
sories, Communications. In Vista, you'll find it at Start, 
Accessories, Remote Desktop Connection. 


a 

its 


Log off and Shut down— You'll need to 
find the Log off and Shut down options 
in Vista early on. In Windows XP, these 
options are on the Start menu. Log off and 
Shut down remain part of the Vista Start menu, but they 
don't appear directly on the menu as they do in XP. Instead, 
you have to click the arrow icon at the bottom right corner 
of the Start menu to display these options. 

9 Printers and Faxes—Printers and Faxes also 
appears on the Start menu in XP. To find it in Vista, 
however, you need to click Start, Control Panel, 
Hardware and Sounds, Printers. 

8 Backup—An essential but often underused utility, 
XP's Windows Backup is located under Start, Pro¬ 
grams, Accessories, System Tools, Backup. Perhaps 
as the result of an effort to make Backup easier to 
find, Vista puts the tool directly off the Start menu under 
Backup Status and Configuration. 

7 Telnet—The Telnet terminal emulation program 
is disabled by default in Vista. To enable Telnet, 
click Start, Control Panel, Programs, Uninstall a 
program (that's right —Uninstall), Turn Windows 
features on or off, then select the Telnet Client check box 
and click OK. 

6 Pinball—I have bad news for pinball fans: You 
won't find Space Cadet Pinball in Vista; Microsoft 
has removed it from the Vista games list. You can 
find other Vista games, such as Spider Solitaire 
and Freecell, under Start, All Programs, Games, Game 
Explorer. 

Network Connections—Network Connections 
is useful for managing your system's NICs. In 
XP, Network Connections is located under Start, 
Programs, Accessories, Communications. In Vista, 


3 Disk Defragmenter—You used to be able to find 
the Microsoft Disk Defragmenter in XP by right- 
clicking My Computer and selecting Manage. In 
Vista, Disk Defragmenter is located at Start, All 
Programs, Accessories, System Tools, Disk Defragmenter. 
Surprisingly, the Vista Disk Defragmenter doesn't show the 
graphical disk fragmentation analysis display. 

In Vista, many of your 
favorite programs aren’t 
where you’ve come to 
expect them to be. 

2 Documents and Settings—XP stores all individual 
user settings in the Documents and Settings folder 
on the system drive and uses a different folder for 
each user. In Vista, however, the Documents and 
Settings folder is replaced by the new Users folder located at 
C:\Users. As in Documents and Settings, the folders under 
the Users folder are grouped by user. 

I ~i 

Administrator account—One of the 

biggest changes in Vista is how the 
Administrator account is handled. This 
account is disabled by default in Vista, 

I | meaning you can't log on as an Admin- 

istrator. To enable Vista's Administrator 
account, open the Start menu, right-click 
Computer, and select Manage. On the Computer Man¬ 
agement dialog box, open the Local Users and Groups 
node and select Users. Right-click the Administrator 
account, select Properties, then clear the Account is dis¬ 
abled check box. ^ 

^_InstantDoc ID 95012^ j 
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If you work with Windows + Linux or UNIX, 

You’re invited to TechX World. 


Hear from Gartner Analyst John Enck about the 
latest trends in Windows and the *Nix platforms. 
Join industry experts Michael Otey, Darren Mar- 
Elia and Brian Komar for practical tips to manage 
and secure your heterogenous environment. 

TechX has something for everyone, regardless of 
whether you consider yourself a Windows person 
or a Linux/UNIX diehard. It’s the one event where 
the two camps can come together to find common 
ground! 


New York 
May 1 

Washington, DC 
May 3 

San Francisco 
May 8 


A sampling of what you will learn at TechX: 


□ Where to find and how to use 
new tools to help you monitor 
your heterogenous environment 

[7| How to manage and secure 
your non-Window systems using 
Group Policy 

□ How to break down the past 
communication barriers between 
Windows and *Nix systems 

QJ How to secure and manage data 
and access management across 
heterogenous environments 


Q Overview of today’s virtualization 
technologies from hardware to 
applications and practical tips for 
using virtualization 


□ How virtualization can help 
you solve common IT 
challenges such as serve 
sprawl, deployment 
and testing 



/ 
I 

$99 rate for 
Windows IT Pro 
subscribers! 
Regular price - 
is $159. 


/ 



Hurry, seats are filling fast! Register today at 
www.windowsitpro.com/go/techx2007 
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Readers Review 


Reader: 

Bill Brower 
Network operations 
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Product: 

Hyena 7.0 Enterprise 
Edition 

Company: 

SystemTools Software 

Contact: 

www.systemtools.com, 
830-779-2349,877-797-8665 
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Undelete AD Objects 

SystemTools Software’s Hyena 7.0 
Enterprise Edition 


—'Bill Brower network operations manager 


"Makes chan$r$the 
administrator password 
on every machine 
h your domain a snap.” 

—'Sill 'grower network operations manager 


E ver grumble to yourself 
about having to change 
the local administrator 
password on a workstation or 
in an entire domain because 
someone in IT isn't available? 
SystemsTools Software's 
Hyena 7.0 Enterprise Edition 
makes that task incredibly 
easy because it lets you select 
a group of computers and 
change the password on an 
account, which makes changing 
the administrator password on every 
machine in your domain a snap. With 
Hyena, you can view and modify a 
number of different items on a com¬ 
puter, such as users, local groups, 
sessions, services, devices, user rights, 


scheduled jobs, and registry. You can 
also search for computers by selecting 
a Windows OS version or by selecting 
a type of application installed, such as 
Terminal Services 

What's really neat about Hyena 
is the “View Deleted Objects'' func¬ 
tion. When you select this function, all 
deleted Active Directory (AD) objects 
are shown and can be selected and 
undeleted. This is worth the price of 
admission all by itself! In addition, 
Hyena provides performance measures 
such as disk space parameters on any 
computer in your domain. Because 
we use the Enterprise Edition, Hyena 
also provides Exchange Server features 
that let us create, delete, or modify 
Exchange accounts. 


What's Hot continues on page 79 
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best buy Tell Us About a Hot Product and Get a Best Buy Gift Card! 
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Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the prod¬ 
uct, and we’ll send you a Best Buy gift card if we write about the product in a future Windows IT Pro What’s Hot column. Send your 
product suggestions with information about how the product has helped you to whatshot@windowsitpro.com. 
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When it comes to disaster, it’s not IF, but WHEN. 
And too often, it’s when you least expect it. 


Get High-Availabilty and Disaster Recovery 
“In-One” With Double-Take ®. it is your job to keep 
servers up, data available and prevent downtime. Failure to 
protect mission critical data and applications can set your 
business back by weeks, months or worse. Disaster 
recovery is now one of the highest IT priorities. 

In today’s business climate, 

you have to have a tested Double -rake 

plan and reliable tools in 
place for the moment your 
server (or site) goes down. Double-Take is that 
tool. Sold more than all other High-Availability tools 
combined, it is even certified for W2K Datacenter. No other 
HA tool is. A whole department sitting on their hands can 
cost thousands of dollars per minute. The ROI of 
Double-Take is a no-brainer. 


Double-Take delivers real-time data replication 
combined with fail-over so you have high- 
availability and disaster recovery for your 
(virtual) Windows Servers — safely and securely. 

This is the reason that hundreds of Fortune 500 companies 
worldwide use Double-Take to ensure their business 
continuity. Three levels of data 
compression allow more data to 
be replicated and increase 
performance and scalability. 


Double-Take gives you the peace of 
mind your data is safe and your job 
secure. Don’t wait. Download a free 
30 -day eval copy right now and start 
protecting your data and applications. 


un 


Micro&ofl.* 

Windows 
Server L '2003 


Download your free eval copy today! 



Sunbelt Software 


Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax:1-727-562-5199 www.sunbelt-software.com sales@sunbelt-software.com 


© 2006 Sunbelt Software. All rights reserved. Double-Take is a trademarks of Double-Take Software. All trademarks used are owned by their respective companies. 







What’s Hot 




Effortlessly Gather Information on Your Windows Machines 

MVsoft’s MvPCinfo 2.1 


M y customers needed a 
tool that let them see 
what's loaded on their 
computers and what patches they 
currently have. Luckily, I found a 
gem with MVsoft's mvPCinfo 2.1, 
an all-in-one tool that collects infor¬ 
mation about Windows machines, 
from Windows 3.1 onward. MvPC¬ 
info reports on just about every 
aspect of the computer, including 
IRQs, software and licenses installed, and types of hardware such as 
memory, video card, and hard disk. You can then take this information 
and build a report in HTML, TXT, XML, or CSV formats. The software 
doesn't require installation on workstations because it can run from a 
floppy drive, USB drive, network drive, or from a domain login script. 
This little piece of software provides the ability to get a snapshot of 
nearly the entire system. 


"This little piece of software §\ic s 
you the ability to ^et a snapshot 
of nearly the entire system.” 

—Jefferson Thatcher CCE, MCSE 

An mvPCinfo personal license—which costs $29—lets you install 
a copy of the software on a computer and freely move the software 
from one computer to another, given that you're the only one using 
the software. A site license—which costs $299—lets you use the soft¬ 
ware within one geographical location of a company. This license 
allows simultaneous usage of the product on an unlimited number 
of a company's computers, including running from a network server 
logon script. I think mvPCinfo is great software and if you need to do 
configuration management, it's the tool to have. 


What's Hot continues on page 82 


Reader: 

Jefferson Thatcher 
CCE, MCSE 

Product: 

MvPCinfo 2.1 

Company: 

MVsoft 

Contact: 

www.mvpcinfo.com 



IT Automation 


WinBatch automates Windows PCs Fast 

* Simple scripting 

* 800+ practical examples 

* 2,500 case studies 

* 30 special purpose libraries and extenders 

WinbotcU gives you the power tho r only 
top notch C +4 of VB dtv^optfi con enjoy, 
dvr amy r bt 

KH - Network Services Manoget 



Free Trial Copy 

www. wi n bate h .com 

90 drTy unconditional money back ^uaraniev 


■sale^Sy^n batch com 

t -800-762-8383 

lA'ilvrwi WindowWanc, Inc 


Guaranteed * Supported * Complete 


Servers Now! 



Source 7 


Windows 

Proven Server Virtualization 


x86 Server Virtualization providing Blazing Fast 
Bare Metal Performance with a seamless upgrade path 


Download XenExpress for free! 


www.xensource.com/win or call 650.798.5900 


Plus, get 
a free t-shirt 
when you 
refer three friends! 


Simply Virtualize. 

Attend the world-wide roadshow on 
Server Consolidation sponsored by 
Intel, IBM and XenSource. 


Learn more at 

www.xensource.com/virtualize 
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Everything you need to get 



1&1 delivers the best 
value for your money. 

Compare for yourself... 



HOME 

STARTER 

DELUXE 

Included Domains 

2 

1 

$1.99/year with purchase 

Web Space 

120 GB 

5GB 

100 GB 

Monthly Transfer Volume 

1,200 GB 

200 GB 

1,000 GB 

E-mail Accounts 

1,200 IMAP or POP3 

200 POP3 

1,000 POP3 

RSS Feed Creator 

/ 

— 

$4.99/month 

Flash Site Builder 

12 Pages 

— 

— 

Dynamic Web Content 

/ 

/ 

— 

Starter Software Suite 

/ 

— 

— 

90-Day Money Back 
Guarantee 

/ 

- 

- 

Price Per Month 

s 3 74 

$ 11 95 

25% off for 2 months 

$Q99 


MEMBER OF 


united 

internet; 


call 1.877.go1and1 


















































your website online. 


Save 25% Today 

. : M ;+arl Time Offc*"* 



On All Shared Hosting 


Packages. Limited Time 


ng n#ar a tourist spot whilst on vacarti&n. i ram am bar this day vary 
ana or tha huLLest days! The ruDd was vary good, thara ware a 
luranto Efwi tradilicmgl dishea to Maxtor \w& 
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1&1 HOME PACKAGE 

Our complete web hosting solution gives you everything 
you need to quickly and easily create an attractive website 
for your family, your hobbies, or for posting your photos on 
the Internet. Get started today! 

fjdfl 1&1 WebsiteBuilder 

1&1 DynamicSiteCreator 
|j;l3 1&1 Blog 
flail 1&1 EasyRSS 

24/7 Phone & E-mail Support 
90-Day Money Back Guarantee 
...and so much more! 



per month 


We offer a variety of hosting packages 
to fit your needs and budget, visit 
1and1.com for details. 


© 2007 1&1 Internet, Inc. All rights reserved. Discount offer is for a limited time only and applies to the purchase of a two year contract of a 1&1 Internet, Inc. shared 
hosting package. Visit 1and1.com for details. Prices based on a comparison of regular Linux prices, effective 3/2/2007. Product and program specifications, availability, 
and pricing subject to ihdiiye without notice. Go Daddy is a registered trademark of GoDaddy.com, Inc.; Yahoo! is a registered trademark of Yahoo! Inc. 


or visit us now 


1and1.com 

















What’s Hot 


Spam Management Made Easy 

Fastnet’s MailCleaner Enterprise 

Reader: 

Silvio Viotti 
MCP, IT engineer 

Product: 

MailCleaner Enterprise 

Company: 

Fastnet 

Contact: 

www.mailcleaner.net 


F or the past three years, I ; ve been using Fastnet's antispam 
and antivirus solution MailCleaner Enterprise for over 10,000 
mailboxes that our university owns. I really like the way Mail¬ 
Cleaner handles the spam and the freedom it gives me to control it. I 
can let spam email come directly to my mailbox, flag it by subject, or 
leave it on the server to be automatically deleted. The software can 
also send me daily, weekly, or monthly reports about all spam email 
deleted. What's also nice is MailCleaner's GUI. The GUI isn't sexy by 



"It’s the product’s 
quality and efficiency 
of service that I like.” 

—Silvio Viotti, MCR IT engineer 

any means, but I don't care about that because I'd rather have a good 
product with a simple GUI than a great GUI with poor results. 

When I look in the spam list, I can sort the mail by sender, date, or 
subject and can easily force a false negative. You can also choose to 
show 20, 50, or 100 messages per page. When I get a false negative 
or false positive, I just send a message to Fastnet and they analyze 
the email to see whether or not it will come to my mailbox. It's the 
product's quality and efficiency of service that I like. I've been using 
MailCleaner for a while and I've only had about 10 false negatives. 
Another big benefit is that all filtering is made outside of users' 
machines. They don't have to worry about updating filters, sorting 
mail, and so on. I know most of my users don't want to see reports 
and would rather let MailCleaner erase spam. 


What's Hot continues on page 83 
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mwmU ***** 


download free trial 

■ betiavior-hnsed ho si ips + 
application firewall 

1 stop known, new & internal threats 

■ overcame lapses in patch management 

■ reinforce regulalory compliance 

snles@jirivncvwore.com > www.priviicywBFe.CDin ■ 73J.212.IUI0 *235 


Imagine..., 

* Automated migrations 

* Minimal downtime 

* VM integrity maintained 

* GUI driven, no scripting 

* Managed cutover option^ 




For a free white paper on 

"Best Practices for Migration to VMware Infrastructure 3" 
visit www.vizioncore.com/migrations.html 
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What’s Hot 




Real-Time Event Auditing and Alerting for AD 


"Char^eAudftor provided 
the complete picture of 
AD charges without relyir^ on 
Windows event Ic^.” 


NetPro’s ChangeAuditor 3.5 

W ith a small staff to 
manage 4,000 users, 

I needed a solution 
that would provide real-time event 
auditing and alerting capabilities 
for Active Directory (AD). I also 
wanted something that eliminated 
the cumbersome and time-con¬ 
suming task of auditing Windows 
event logs to audit AD or Windows 
changes. With its intelligent event 
consolidation and correlation 
capabilities, NetPro's ChangeAudi¬ 
tor 3.5 helps me understand exactly 
what types of changes occurred 
and the most critical details about 
each change. This detail includes not only who made the change but 
also—and equally important—both the previous and new values. We 
tried other solutions, but ChangeAuditor provided the complete pic¬ 
ture of AD changes without relying on Windows event logs. 


—Nathan Casey network analyst 

ChangeAuditor identifies AD configuration, group, and user 
changes as they occur and provides what NetPro refers to as the 
"5 Ws.” This includes who made the change, what the change was, 
when the change was made, where the change was made, and why 
the change was made. Further, I can create custom alerts to keep me 
informed of changes to a single group, or I can track all changes made 
by a single administrator. ChangeAuditor also provides comprehen¬ 
sive coverage of Group Policy Objects (GPOs), including hundreds of 
prebuilt alerts designed to keep me posted on the changes that affect 
vital policies. ^ 

InstantDoc ID 95203 


Reader: 

Nathan Casey 
Network analyst 

Product: 

ChangeAuditor 3.5 

Company: 

NetPro 

Contact: 

www.netpro.com, 

602-346-3600, 

800-998-5090 



Bringing Your As»E»e»t£» into F-ocus* 


Without a comprehensive IT asset management solution in place, you may only be seeing half the picture. 
That presents dangers like system downtime from improper upgrades, poor customer service, overpaying 
on license fees and inappropriate usage of software/internet by employees. 


NetSupport DNA facilitates central management of your enterprise IT assets in a secure, coordinated 
and efficient manner. NetSupport DNA is available in a modular format including Hardware and Software 
Inventory, Alerting and Change History with Software Distribution, Application/Internet Usage Metering, 
PC Remote Control and Web-Based Helpdesk. NetSupport DNA provides a flexible solution that can be 
operational in under 30 minutes and requires no additional training or certification. 


Discover assets. Uncover inefficiencies. Recover costs. 


Get the whole picture with NetSupport DNA. 


For more information and to download a free trial copy - visit: 

www.netsupportdna.com 


sales@netsupport-inc.com 


NefEDUppc^l" 

^770-205-4456 www.netsupport-inc.com 
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What Would You Monitor? 


What if you could quickly see a real-time graphical display of 
specific information to understand progress and make better 
decisions in life. Well, until then, PowerGadgets provides IT and DB 
professionals with charts, maps and gauges for real-time desktop 
monitoring of applications, networks or databases utilizing such 
technologies as Windows PowerShell, Windows XP, Windows Vista 
Sidebar or Windows Server. Free trial at www.powergadgets.com. 


Better Decisions Through 

Desktop Data Visualizal 


©2007 PowerGadgets LLC. All rights reserved. PowerGadgets is a registered trademark of PowerGadgets LLC. All other brands are owned by their respective owners. 


www.powergadgets.com 


My grades? 
Oh, they’re fine. 














- Urgent Desktop Alert 

Would you like to alert your users of urgent 
Information direct to their desktops? 


Sick of employees not paying attention to important 
emails? 

ACEmessage is a Desktop Alert Solution tg deliver 
messages over Open Applications on the users 
desktop... instant information! 


ITS 


ACEmessage 

# Fast, One-Way, Centralised Alert Distribution 

# Desktop Popup Styles (FullsCrten, Banner, Balloon, Discreet) 

# Message thousands of Desktops in minutes 

# Active Directory Integration 

# Free 30 Day Trial 


b 



For more information visit WWW.Spydamdn.CQm 


FREE 14 DAY TRIAL 



Performance Monitoring Software for 
Websites, Applications and Infrastructure 

Continuous website, server and infrastructure monitoring 
is critical to ensuring that your website and web-based 
applications are available and performing with acceptable 
response times. 


WebWatchBot 5.0 features 


Real-time, end-to-end view 
of performance 

Visibility into complex web- 
based applications and 
underlying infrastructure 

Ability to detect problems 
before they impact the 
end user 

Agentless installation - 
get up and running fast 



www. WebWatchBot.com 


Exclamation 




Faxes 

They won't go away. 

Get rid of the fax machines. 
Get control of your faxes. 

Get a fax server. 

Better yet, get the best 
fax server— FaxCore— 
and it will seem like 
the faxes went away. 

FaxCore - so reliable you'll forget you have it. 


+1(720)870-2900 

* 



WHEN EVERY HU IS MISSION CRITICAL 


www.faxcore.com • sales@faxcore.com 



1-267-895-1726 Direct 
1-866-489-0111 Toll Free US and Canada 




















































Ordering the Windows IT Pro Master CD is like 
pocketing a team of Windows experts. 



Packed with thousands of articles, bonus 
content, and loads of expert advice— 
getting the Windows IT Pro Master CD 
is like pocketing your very own team of 
professional Windows IT consultants. 

And at a fraction of the cost. 

Search for articles by keyword, subject, 
author or issue. Get real-world solutions 
in lightning-fast time—order the 
Windows IT Pro Master CD today. 

Only $59.95 












DIRECTORY OF SERVICES 

Windows IT Pro Network 


Ad Index 


Search our network of sites dedicated to hands-on tech¬ 
nical information for IT professionals. 

http://www.windowsitpro.com 

Support 

Join our discussion forums. Post your questions and get 
advice from authors, vendors, and other IT professionals. 

http://www.windowsitpro.com/forums 

News 

Check out the current news and information about 
Microsoft Windows technologies. 

http://www.wininformant.com 

EMAIL NEWSLETTERS 

Get free NT/2000/XP/2003 news, commentary, and tips 
delivered automatically to your desktop. 

Windows IT Pro UPDATE 
Vista UPDATE 

Windows Tips & Tricks UPDATE 
Win Info Daily UPDATE 
.NET Briefing 

Exchange & Outlook UPDATE 
Scripting Central 
Security UPDATE 

SQL Server2005Express UPDATE 
SQL Server Magazine UPDATE 
Storage UPDATE 
Windows IT Library UPDATE 
Connected Home EXPRESS 

http://www.windowsitpro.com/email 

PRO VIP ACCESS 

Exchange & Outlook Pro VIP 

Discover smart solutions for Exchange and 

Outlook administrators. 

http://www.exchangeprovip.com 

Scripting Pro VIP 

Learn how to create more powerful scripts and get tips 
for automating those tedious administrative tasks. 

http://www.scriptingprovip.com 

Security Pro VIP 

Discover practical, how-to advice for avoiding and 
solving security problems. 

http://www.securityprovip.com 

RELATED PRODUCTS 

Custom Reprint Services 

Order reprints of Windows IT Pro articles. Contact Joel 
Kirk a t jkirk@penton.com. 

Super CD/VIP 

Get exclusive access to all of our print publications, includ¬ 
ing Windows IT Pro, via the new, banner-free VIP Web site. 

http://www.windowsitpro.com/sub/vip 

Article Archive CD 

Access every article ever printed in Windows IT Pro 
magazine since September 1995 with this portable and 
speedy tool. 

http://www.windowsitpro.com/sub/cd 
SQL SERVER MAGAZINE 

Explore the hottest new features of SQL Server, and 
discover practical tips and tools. 

http://www.sqlmag.com 

www.windowsitpro.com 
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Send your funny screen shots, juicy rumors, or industry humor to rumors@windowsitpro.com. 
If we use your submission, you’ll receive a Ctrl+Alt+Del coffee mug. 


Mouse Move Change 



f><l 


? \ Your mouse has moved. Windows must be restarted for the change to take effect. 


Random Error 


You have not gotten any error messages recently, 
so here is a random one just to let you know that 
we haven't started caring. 


□K 


ifTdows 95 ERROR 


Stack overflow. Internal stack fall down 
and go boom. 


PEBKAC-Problem Exists Between Keyboard And Chair 
Betty 


Abort 


ignore 




Windows has encountered an unknown error. 

The error is unknown because the guy who wrote this part of the code quit a while back and he 
was like really really smart and the rest of us are not really sure how this works or what to do. 

BTW, if you are that guy, please give us a call and let us know what to do. 


Restart Computer 


Try again 


Forget it:,I'll just watch TV 
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Lose that important file? 

Protect against accidental file deletions with NEW Undelete® 5 

Now with version protection for Microsoft ® Office files 


According to the New York Times, file loss costs businesses an estimated $13 billion per year. The problem 
is that the Windows® recycle bin doesn't capture every deleted file, particularly files deleted over the 
network and older "saved-over" versions of Microsoft Office files. Not even your backup system provides 
comprehensive real-time protection. 

Now you can get complete up-to-the-minute file protection with 
instant recovery—get new Undelete 5! 

• NEW! Version protection allows instant recovery of older versions ol 
Microsoft Word, Excel and PowerPoint® files 

• EXCLUSIVE! Recovery of deleted files is easy and instant 

• EXCLUSIVE! Undelete 5 captures and protects all deleted files in real 
time—even files deleted by other systems over the network. No more 
lengthy backup restores! 

• Server and workstation editions available 

Try Undelete FREE! 

Visit: www.undelete.com/winUD5 

For volume license pricing and government or educational discounts, 
contact your favorite reseller or call 800-829-6468 reference number 4330 


©2007 Diskeeper Corporation. All Rights Reserved. Undelete, Diskeeper and the Diskeeper Corporation logo are registered trademarks or trademarks of Diskeeper 
Corporation in the United States and/or other countries. Microsoft, Windows and PowerPoint are either registered trademarks or trademarks owned by Microsoft 
Corporation in the United States and/or other countries. Diskeeper Corporation • 7590 N. Glenoaks Blvd. Burbank, CA 91504 • 800-829-6468 • www.undelete.com 













SERVER SECURITY ISSUES 
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Don’t lose sight of what’s most important- take a load off 
with ScriptLogic’s File Server Management Solution. 

ScriptLogic’s File Server Management Solution includes two award-winning server 
management products, combined to offer a comprehensive cure for security 
headaches. With the File Server Management Solution, you will be able to proactively 
assess, manage, and validate critical security settings with ease! 

Ease the burden of security assessment 

> Run over 100 turnkey reports or customize to your needs. 

Manage security easily and efficiently 

> Centrally manage NTFS, share, registry and other permissions from a central console. 

> Backup and restore NTFS permissions to enforce standards. 


Simplify Validation and Reporting 

> Generate detailed reports on-demand. 

> Automate reports and schedule them to be 
emailed to the project owner. 


Isapmmi 

Point, Click, Done! 


Download a 30-day trial today at www.ScriptLogfC.com/fean 






